Implementing Sessionless Captcha Verification

I saw a project request to implement sessionless captcha verification. In blink of a second I thought, sounds like a dumb request, if there is no session, then the data has to be carried along with the html form that gets posted and if so, a clever program can pick up the value and submit it. Then, in the second blink, I formulated that this can be done using a two-way encryption. Essentially, generate a random word(s) on the server side, two-way encrypt it and then put the encrypted string in the form as a hidden variable. In addition, provide the encrypted string in the image url that gets generated dynamically. The image request can decode the string and then render the captcha image. When the user submits the value, the form contains the user’s value and the encrypted value which can be confirmed on the server.


Filed under CAPTCHA

7 responses to “Implementing Sessionless Captcha Verification

  1. Vasu

    Actually I implemented a version (without a session and without using database) for my website as I am getting a lot of spam at ‘Notice Board’. I am refining it as I think of any possible threat decoding my string I sent it to the client in a hidden variable. So far it is working fine.

    PS: I did not use any complicated image generation tool and you can see it at .

  2. Dustin

    I actually use the exact algorithm you outlined in most of my projects. The only catch is all a spammer needs is a matching encrypted value / decrypted value set and they can send as many emails as they want.

    My solution to this is to salt the encrypted value with the day of the year, which can cause unwanted results at 11:59pm, but I feel that this is a small price to pay for the lack of spam.

    Oh, and I created a 2 way encryption that encrypts to multiple values that all decrypt to a single value. This way, the code in the hidden field and the code in the image url are completely different. Email me if you want the step by step on how this works.

    I also typically add a couple of random honeypots and store the user’s IP address in the form (as a salted md5 hash) so I can verify it on the other side.

    The captcha image is created in php just by using an obfuscated font. The one I prefer is .

    No spam yet…

    Hope this helps someone.

  3. Travis

    This is simply the best method I’ve found for captchas. I have a solution that works now using sessions, but that of course requires sessions (and the user to accept cookies) in order to work. This seems much simpler and just as secure, so I think I will be switching my sites over to using this methodology.

    Something worth noting is that it’s often nice to allow the user to “reload” the captcha if they can’t easily read it. This could easily be done with a bit of ajax — basically, call a script that generates a new word and returns the 2-way encrypted value. Then update the hidden form field value with that encrypted value, and also update the image by passing the encrypted value in the querystring. I will probably just build a jquery plugin to do this to keep it clean and make it easily-reusable on my sites.

  4. Travis

    Also — another way to help secure this would be to store the encrypted value to a database and set an expiration time on it, such as 1 hour (or whatever makes sense for your application). Then, as soon as it’s validated server-side (i.e., used), clear the entry from the database. That way, if a hacker had the encrypted value and the decrypted word, they, just like humans, could only use it once before it’d no longer be good (until it randomly gets generated again, which is not likely to happen anytime soon).

  5. S

    Travis, yes. All those are good improvements and hacker-proof to the extent possible.

    However, I once saw a project probably on the same freelance website where some guy was ready to pay $3 to someone who manually enters 1000 CAPTCHAs and there were people who bid for it. $3 is a decent for a day’s work in many countries. So, if some is bent on hacking, they will hack. But I guess, such kind of effort is put in only for top websites. Otherwise, for most of us this will do.

  6. Sure, you can do a Sessionless Captcha. I created a tutorial page + source download on my website:

    • S

      I am not a security expert, but if both the original text and the 2-way encrypted string are known for enough words, it might be possible to figure out the encryption.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s