

Handling Flash Crowds From Your Garage - antiform
http://www.usenix.org/events/usenix08/tech/full_papers/elson/elson_html/index.html

======
bumbledraven
"In between the time a user requests a CAPTCHA and the time the CAPTCHA is
scored, Asirra must keep state in order to recognize if the answer was
correct, and do other accounting."

In this section, the paper only explores ways of keeping state on the server.
But a better way to do this is to give the client an encrypted token -- as a
cookie or as part of the form action URL -- identifying the CAPTCHA they were
sent. Then the server itself can be stateless.

------
paulleviss
Interesting.

