PHP Anti‑Crawler Login Security: Captcha, Encryption, and Dynamic Token Mechanisms

As web crawlers become more sophisticated, simulating user login is a common way to harvest data, creating security risks for web applications. This guide presents three PHP‑based defensive mechanisms that can be integrated into a login workflow to mitigate such threats.

1. Captcha Mechanism – Adding a captcha image and input field to the login form forces human interaction. The example generates a random 4‑digit code, stores it in the session, renders it as a PNG image, and validates the user‑entered value on the server.

<code>// login.php
<?php
session_start();
$code = rand(1000,9999);
$_SESSION["code"] = $code;
$im = imagecreate(60,20);
$black = imagecolorallocate($im,0,0,0);
$white = imagecolorallocate($im,255,255,255);
imagestring($im,5,5,2,$code,$white);
header("Content-type: image/png");
imagepng($im);
imagedestroy($im);
?>

<!-- HTML form -->
<form action="check_login.php" method="post">
  <label>用户名：<input type="text" name="username"></label><br>
  <label>密码：<input type="password" name="password"></label><br>
  <label>验证码：<input type="text" name="code"></label>
  <img src="login.php" />
  <input type="submit" value="登录">
</form>
</code>

The server side of the captcha checks the submitted code against the session value; if they differ, an error is returned. Note that OCR‑based attacks can still bypass simple captchas.

2. Encrypted Verification Mechanism – By encrypting the login parameters with a temporary key, the raw username and password are never exposed in the request URL.

<code>// Generate a temporary key
$rand_str = substr(md5(uniqid()),0,6);
$timestamp = time();
$key = md5($rand_str . $timestamp);

// Encrypt parameters
$param = array("username"=>"xxxx","password"=>"xxxx");
$param_str = http_build_query($param);
$encrypted_str = bin2hex(openssl_encrypt($param_str,'AES-128-ECB',$key));

// Send to backend
$url = "http://xxx.com/check_login.php";
$fields = array('param'=>$encrypted_str,'key'=>$key);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $fields);
$res = curl_exec($curl);
</code>

On the receiving side, the server decrypts the payload using the provided key, parses the query string, and extracts the original credentials.

<code>// check_login.php
$key = $_POST['key'];
$encrypted_str = $_POST['param'];
$param_str = openssl_decrypt(hex2bin($encrypted_str),'AES-128-ECB',$key);
parse_str($param_str,$param_arr);
$username = $param_arr['username'];
$password = $param_arr['password'];
</code>

This approach raises the difficulty for crawlers to harvest login data, though it does not protect against man‑in‑the‑middle attacks if TLS is not used.

3. Dynamic Token Mechanism – A one‑time token stored in the session is required during login, preventing replay or packet‑capture attacks.

<code>// login.php (token generation)
session_start();
$token = md5(uniqid());
$_SESSION['token'] = $token;

<!-- HTML form -->
<form action="check_login.php" method="post">
  <label>用户名：<input type="text" name="username"></label><br>
  <label>密码：<input type="password" name="password"></label><br>
  <label>动态令牌：<input type="text" name="token"></label>
  <input type="submit" value="登录">
</form>
</code>

<code>// check_login.php (validation)
session_start();
if($_POST['token'] != $_SESSION['token']){
    echo "动态令牌错误";
} else {
    // token valid – proceed with further checks
}
</code>

By requiring the token to match the server‑side value, attackers cannot simply replay captured requests.

Conclusion – Combining captcha, encrypted parameter transmission, and dynamic token validation provides layered protection against automated login attempts. Developers should adapt and extend these techniques based on the specific threat model and application requirements.