August 17, 2007 by alex
On autoki.com we have this “Tell-a-friend” functionality, where people can enter the email addresses of their friends and have the link to a cool photo or car sent to them. Until recently this was only accessible to logged in users because we were afraid of spam bots using it to send emails to everyone using our servers. At some point we realized that this function could be much more useful if everyone would be able to use it - member or not. The solution we chose to fight the spam bots was pretty standard: Captchas - Completely Automated Public Turing tests to tell Computers and Humans Apart. (I just love this name)
There are a couple of plugins for rails to implement captchas. Most of them display an image with distorted letters and numbers and ask the user to enter these in a form field. The alternative is to ask the user a simple question that a human can easily answer but a computer (as in spam bot) can not. The latter has two advantages: they work for blind people / text browsers and we don’t have to generate and store images - so we went with this one. validates_captcha (sorry couldn’t find a working link) is a plugin we have used before and it supports both - images and questions (so called logic captchas).
Now the only problem was this: autoki runs on multiple servers and the captcha validation process involves multiple http requests, which can each go to a different server. Validates_captcha stores the captchas in a local file, so if the generation of the captcha occurs on one server but the validation on another, that other server can’t find the captcha. The solution we chose is actually pretty simple: rewrite validates_captcha to use memcache instead of the local file.
To accomplish this we only had to change one file, captcha_challenge.rb. All we had to do was replace all the occurrences of
store[:captchas] with memcache. The modified file now looks like this:
With this, all captchas now get stored on the central memcache server and all the application servers have access to it. And it’s even better than the original, because memcache supports time to live, so old captchas get removed from the store automatically.
Note: We are using the MemcacheClient gem to access memcache from rails. The
CACHE constant is declared in the environment files, so in production.rb we have this:
For development and testing we use a simple hash based stub:
Now the exercise left would be to factor out the storage code so the choice of captcha storage can be configured in the validates_captcha configuration, anyone? :)