Drupal captcha and cookies

I have come up with a theoretical method to remove the dependence of the drupal captcha module on cookies (or in particular, the dependence on php session, which by default uses cookies). As ideas go it is in the early stages, but basically it removes the necessity for storing the captcha in the php session by putting an encrypted version of the captcha into the form as a hidden form entry. When the user submits the form, the encrypted captcha is passed back and can be decrypted and compared to the user entered captcha for verification. Ideally cookies should be used if they are available, but if not, this could be a fall back.

Two main problems/hurdles with this idea:

  • How to encrypt the captcha (or captchas, in the case of accessible options). The standard php crypt is a one way encryption (which currently uses DES by default). I will need a two way encryption (encryption and decryption). Efficiency is a big issue here, as encryption need only be strong enough to deter simple robots/scrapers, efficiency is more important than security. Also a secret key of some sort will need to be known on the server. How this is automatically selected so that robots scrapers etc. cannot determine it is an important issue.
  • Currently image captchas are created when the browser loads the captcha image (using the textimage module) and it is at this point that the captcha is chosen and set in the php session. Creating it in the form moves the time of captcha selection to the time the form is created (not the time the image is loaded). So, how do we inform the textimage module what the captcha it needs to draw is? A solution to this is to use the encrypted captcha as the argument to the image creation callback (currently it is "time" to avoid browser cache issues and is unused as an argument).

Although I could image getting this working I will sit on the ideas for a while and see what alternatives I come up with. In the mean time I have implemented a simple warning message in the textimage/captcha modules that is issued when cookies are not enabled. I may pass this onto the captcha/textimage project pages on the drupal site for discussion.