Reduce captcha calls by remembering successful captcha users

144 views Asked by At

I'm looking for a solution to reduce the number of captcha calls I need to make.

I have a website that allows free usage for one app with a text box and button. Users might use it 10 times, and thus I call captcha 10 times. However, this adds up to a ridiculous expense I can't continue to afford. I need a solution to track successful captcha so a user receives only one captcha if successful.

My Thought:

  1. On successful captcha
  2. store real user identifier in redis (Hash out IP, User Agent, and WebRTC (not fully aware of what this is, but I was recommended to use this))
  3. Future calls check if user is valid by checking their hashed identifier (TTL of 90 days)

Any other recommendations or suggestions? Any potential problems?

PS: info about WebRTC in this use case would be helpful as well

1

There are 1 answers

0
Kevin Danikowski On BEST ANSWER

I decided to use a hash of the IP and User-Agent considering everything I would take from the client can be spoofed (even the User-Agent can be). To combat the spoofing, I added ip rate limiting.

Now before making API calls from the client, I make a call to verify that the user is a verified user (I consider a validated captcha a non-robot verification for 24 hours. I'll mess with increasing this over time).

This should effectively reduce my captcha calls by 60%.