Solved

Ensure form submit button is clicked by 'real' user?

Posted on 2012-03-10
13
255 Views
Last Modified: 2013-01-25
I run an ecommerce site where some of the sellers sell very high demand items. The purchase of an item is essentially via form submission (see http://hyenacart.com/HCMulti/mt/1/56902/trsty, for example.)

Apparently, some users are scripting automated code using code like Selenium (http://seleniumhq.org/docs/01_introducing_selenium.html) to give them an edge in being the first one to submit when a listing goes live.

Is there any way to outwit these scripting codes and ensure that the 'submit' button is being triggered by an actual physical mouse click (vs. an automated script)?

Thanks!
0
Comment
Question by:maxbook
  • 5
  • 2
  • 2
  • +3
13 Comments
 
LVL 13

Accepted Solution

by:
Hugh McCurdy earned 250 total points
ID: 37706128
Use captcha or similar.

http://www.captcha.net/
0
 
LVL 15

Expert Comment

by:StingRaY
ID: 37706142
I agree with @hmccurdy. You can also use reCAPTCHA http://recaptcha.net/ .
0
 

Author Comment

by:maxbook
ID: 37706680
Thanks, for the suggestion! Just wondering, is there any other way? This is under a very high demand purchase situation. Imagine refreshing over and over again, waiting for the next generation iPhone or your favorite band's concert tickets to become available. It seems very user-unfriendly to ask people to complete a captcha form in that situation just at the moment when the item becomes available and they can finally purchase. Not to mention, the traffic already slows my site down -- not sure how long the captcha might take to render when the site is under load, but I don't think my users will tolerate further slowdowns.
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37706736
If there was another reliable way, there would have been no need to develop Captcha.

But I believe I understand the problem.  Sounds a lot like an auction.

One idea I have is to have captcha at some point prior to the item becoming live, say 2 minutes.  They could still fire up their script but 2 minutes earlier, they'd have to prove being human.  That still might be too much load but I don't fully understand the pressure your site is under.  (I just realize it exists.)

Another idea is to tentatively accept the transaction and then demand they complete a test to complete their order.
0
 

Author Comment

by:maxbook
ID: 37707205
OK -- thanks. So there's no way of checking server-side that the submit came from a physical mouse click or keystroke? I guess not, because then, like you said, we wouldn't need captcha. Thanks!
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 37707286
This might be a little easier on the eyes than reCaptcha.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html

You might get away with using a form token.  They can be programatically defeated, but your clients might not have the sophistication to do that.  Just a thought (and less annoying than most Captcha tests).
<?php // RAY_form_token.php
error_reporting(E_ALL);


// DEMONSTRATE THE USE OF A FORM TOKEN TO UNIQUELY IDENTIFY FORMS


// START THE SESSION ON EVERY PAGE
session_start();

// REQUIRED FOR DATE/TIME PROCESSING AFTER PHP 5.1+
date_default_timezone_set('America/Chicago');



// CREATE AN IDENTITY IN THE FORM
function make_form_token()
{
    // A RANDOM STRING
    $string    = "CHANGE THIS IF YOU WANT" . time() . $_SERVER["SCRIPT_FILENAME"] . "?";

    // MAKE A MESSAGE DIGEST OF THE STRING TO USE AS A TOKEN
    $token     = md5($string);
    $_SESSION["_form_token"]    = $token;
    return $token;
}



// EVALUATE THE IDENTITY IN THE FORM
function check_form_token($token='')
{
    // CHOOSE THE TOKEN WE WANT TO TEST
    if ($token === '')
    {
        $token = $_POST["_form_token"];
    }

    // COMPARE OUR CURRENT TOKEN TO THE SESSION STORED TOKEN
    if ($token == $_SESSION["_form_token"])
    {
        // MUNG THE TOKEN TO ENSURE THAT IT CAN ONLY BE USED ONCE
        $_SESSION["_form_token"] = md5($_SESSION["_form_token"]);
        return TRUE;
    }
    return FALSE;
}



// MODIFY THIS IF YOU WANT A FRIENDLY FORM TOKEN ERROR
function form_token_error()
{
    die("Form Token Error");
}



// DEMONSTRATE HOW THIS WORKS
// SESSION IS REQUIRED - SEE ABOVE WHERE WE STARTED THE SESSION
// session_start();

// CHECK FOR FORM INPUT
if (!empty($_POST))
{
    // SHOW THE FORM TOKEN
    $token = $_SESSION["_form_token"];
    echo "<br />THE FORM TOKEN IS $token ";
    if ( check_form_token() )
    {
        echo "AND IT IS VALID.\n";
    }
    else
    {
        echo "AND IT IS NOT VALID.\n";
    }

    echo "<br />Refresh this screen to resend the data and you can see a form token error.\n";
}



// END OF PHP - PUT UP A FORM TO ILLUSTRATE THE USE OF THE TOKEN
?>
<br /><br />
Click GO to see the form token.
<form method="post">
<input type="hidden" name="_form_token" value="<?=make_form_token()?>" />
<input type="submit" name="submit" value="Go!" />
</form>

Open in new window

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 26

Expert Comment

by:akahan
ID: 37707348
I don't expect points for this, as it doesn't solve your problem, but would just say, in response to:

"It seems very user-unfriendly to ask people to complete a captcha form in that situation just at the moment when the item becomes available and they can finally purchase."

People are completely accustomed to the use of captchas in the situation you describe: Ticketmaster, for example, does exactly this.  I think most people understand that the annoyance is a small price to pay for fairness.  Clearly, you're not going to lose sales by doing this, since the whole problem is predicated on there being an overabundance of buyers.
0
 

Author Comment

by:maxbook
ID: 37707827
Thanks for the form token idea, Ray! I was pondering doing something like this, but I think some of the automated scripts are actually targeting to 'click' the buy now button when it appears (apparently they need to know exactly where on the screen it will appear in order for their script to work), so I'm guessing that the form_token will be intact in this situation and would still give an advantage to script users.

Akahan -- very good point. You are right, there will not be any lost sales. It's just that these users are very passionate, and very testy, and I can imagine the amount of complaining that will happen if this gets implemented. As you said though, it is simply replicating what other major sites use in these situations. I found this very interesting article: http://provenue.tickets.com/US/cs_06.php

I also found this, which might be more fun than standard captcha's: http://areyouahuman.com/

Thanks for all the input and I am open to any and all ideas!
0
 

Assisted Solution

by:maxbook
maxbook earned 0 total points
ID: 37718237
I ended up implementing a simplified captcha (trying to balance usability with screening out scripts).

http://hyenacart.com/HCMulti/mt/1/48282/Buy-Now-3-12-12

How hard do you think it would be for someone to code up a script with OCR and have it able to submit this form automatically?

Thanks!
0
 
LVL 26

Expert Comment

by:akahan
ID: 37718579
0
 

Author Comment

by:maxbook
ID: 37719307
OK -- thanks. I wonder how fast those scripts are? In this high demand situation, it will be a speed test between the humans and the scripts...
0
 
LVL 53

Expert Comment

by:Dhaest
ID: 38818060
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article discusses four methods for overlaying images in a container on a web page
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now