[mod_python] CAPCHA

Deron Meranda deron.meranda at gmail.com
Tue Jul 11 11:15:55 EDT 2006 

There was a thread on captchas not too long ago.
http://www.modpython.org/pipermail/mod_python/2006-June/021450.html

On 7/11/06, marinus van aswegen <mvanaswegen at gmail.com> wrote:
> I'm working on a CAPCHA module. The plan is to save the password to
> the session object and then to serve the image via function (pipe an
> image from a buffer to the browser that's expecting an image). Has
> anyone tried anything like this ?

Yes, I serve binary files (including images) directly via mod_python
all the time.  You just need to be careful of your content-type header
and make sure you don't output any stray bytes here or there.

As for generating your captcha image after the password validation,
you may want to rethink that.  It would then be possible to do a
brute-force password guessing attack without ever having to
automatically break the captcha (so in essence your captcha is
not doing what its primary purpose is).  You want to validate the
catpcha response at the same time you validate the password.
And the image should be seeded from a cryptographic random
source each time (instead of a deterministic function), and the
seed values should never be re-used.
-- 
Deron Meranda

More information about the Mod_python mailing list