Preventing Account Creation Spam in ILLiad

Print Friendly and PDF Follow

By default, all ILLiad installations are set up with basic ILLiad authentication. This type of authentication allows anyone with access to the New User Registration web form (NewUserRegistration.html) or Lending New User Registration web form (LendingNewUserRegistration.html) to register for a new account, choose a username and password, and then use that username and password to immediately log into the ILLiad web interface. As basic ILLiad authentication does not verify user information against any external system upon registration or login before creating the user's account, you may experience periods of bot-driven automatic account creation spam wherein bots use the New User Registration forms to create a large number of accounts in a short period of time. 

The release of ILLiad Web DLL v9.2.3 and Lending Web DLL v9.2.3 for ILLiad 9.2 and ILLiad Web DLL v9.1.7 and Lending Web DLL v9.1.7 for ILLiad 9.1 includes several new options for preventing excessive new user account creation spam on the New User Registration forms. This article will detail these options and how to configure them for your ILLiad installation after updating.

You must be on ILLiad Web DLL/Lending Web DLL v9.2.3 (ILLiad 9.2) or ILLiad Web DLL/Lending Web DLL v9.1.7 (ILLiad 9.1) at minimum to configure these features. For more information on updating your ILLiad server to install the required version of these components, see the ILLiad 9.1 and ILLiad 9.2 release notes.

Option 1: Add Captcha Requirement to the New User Registration Forms

The captcha requirement is only supported for use on the New User Registration forms (NewUserRegistration.html and LendingNewUserRegistration.html) and cannot be added to other ILLiad web forms, such as the default request forms.

Extra security against spam account creation can be provided by adding a captcha requirement to the New User Registration form (NewUserRegistration.html) and Lending New User Registration Form (LendingNewUserRegistration.html). Once added, users will need to solve the captcha requirement to submit the form and create their ILLiad account, which will prevent bot-driven account creation spam. To add the captcha requirement, ILLiad must be configured to integrate with one of three supported third-party captcha providers. Once a provider is selected, your institution will need to create an account with that provider and use the account details to configure the captcha integration in the ILLiad Customization Manager. The following third-party captcha providers and plans are supported by ILLiad:

  • Google reCAPTCHA: The reCAPTCHA v2 (both the "invisible" and "checkbox" variants) and reCAPTCHA v3 are supported options
    • Note that reCAPTCHA Enterprise is not supported by ILLiad

    Due to a Google bug, HTML5 validation configured on the New User Registration form will no longer properly display the tooltips notifying the user of any missing/invalid information that is preventing the submission of the form when using the "invisible" reCAPTCHA v2 variant. Users may also experience a delay before they are allowed to re-submit the form after their first invalid form submission.
  • hCaptcha: The free "Publisher" plan is supported
  • MTCaptcha: The free plan is supported
Note that only the free captcha account options offered by the captcha providers listed above are supported by ILLiad at this time. Atlas Systems cannot guarantee support for any of the paid account options from these providers. Certain limits may apply based on the provider selected. Please review each provider's documentation for complete details.

Accessibility Information

For complete details on the accessibility features offered by each captcha provider, please see the captcha provider's documentation:

Configuration Overview

After choosing a captcha provider and plan, the captcha requirement can be added to the New User Registration forms following the steps below (click each step to view each process in more detail):

  1. Creating an account with the captcha provider of your choice 
  2. Configuring the captcha customization keys in the ILLiad Customization Manager
  3. Updating your web pages to add the new captcha web page files and to update NewUserRegistration.html and LendingNewUserRegistration.html to include the new captcha field

1. Create a Captcha Account

Before a captcha integration can be configured for ILLiad, you must first create an account with one of the three supported third-party captcha providers. After creating the account, you will use the account information to configure your captcha integration in the Customization Manager. Note that only the free plans offered by each captcha provider are supported by ILLiad at this time. See each provider's section below for more detailed instructions on how to create your account.

Google reCAPTCHA | hCaptcha | MTCaptcha

Google reCAPTCHA

To create a Google reCAPTCHA account:

  1. Visit https://www.google.com/recaptcha/about/ and optionally review the listed features for reCAPTCHA v2 and reCAPTCHA v3 on this page to decide which option to use for your captcha requirement on the user registration form. For more information, see the reCAPTCHA documentation.

    reCAPTCHA Enterprise is not supported by ILLiad at this time.
  2. Click v3 Admin Console at the top of the page when you are ready to create an account. You will be asked to sign-in/create a Google account before beginning the reCAPTCHA sign-up process if you are not already signed in to Google.
  3. Under Label, enter a label or name to use to identify your account.
  4. Under reCAPTCHA type, select either the reCAPTCHA v3 or reCAPTCHA v2 option
    • If reCAPTCHA v2 is selected, you must then select either the "'I'm not a robot' checkbox" or the "invisible reCAPTCHA badge" variant
  5. Under Domains, type the domain of the server that hosts your ILLiad web pages (e.g., https://<your.ILLiadWeb.domain>/)
  6. Click the plus sign (+) to add the domain
  7. Agree to the terms and conditions and click Submit to create the account
  8. Once registration is completed, you will be shown a page containing the Site Key and Secret Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the ILLiad Customization Manager during the next step of the configuration process.

hCaptcha

To create an hCaptcha account:

  1. Visit https://www.hcaptcha.com
  2. Click the Sign-Up button to begin the account creation process
  3. Click the Add hCaptcha to your service (free) option
  4. Follow the prompts to register for a free account
  5. Once registration is completed, you will be shown a page containing the Sitekey and Secret values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the ILLiad Customization Manager during the next step of the configuration process.

MTCaptcha

To create an MTCaptcha account:

  1. Visit https://www.mtcaptcha.com 
  2. Click the Free Account button to begin the account creation process
  3. Follow the prompts to register for an account. When prompted for the Domain Name, type the domain of the server that hosts your ILLiad web pages (e.g., https://<your.ILLiadWeb.domain>/)
  4. Once registration is completed, you will be shown a page containing the Site Key and Private Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the ILLiad Customization Manager during the next step of the configuration process.

2. Configure Captcha Customization Keys

Once your captcha account is created using one of the providers above, you will then need to use information from the captcha account to configure a series of customization keys in the ILLiad Customization Manager (all keys are located under System | System):

  • CaptchaProvider: Enter one of the following options exactly as shown below based on the captcha provider and plan you selected:
    • reCaptcha_v2_Checkbox
    • reCaptcha_v2_Invisible
    • reCaptcha_v3
    • hCaptcha
    • MTCaptcha
  • CaptchaSecret: Enter the Private Key (MTCaptcha)/Secret Key (reCAPTCHA)/Secret (hCaptcha) value associated with your captcha account. 
  • CaptchaSiteId: Enter the Site Key value associated with your captcha account.

Next, optionally review and modify the status line text that will appear on the ILLiad web interface if a user fails the captcha challenge on the user registration forms:

  • SLCaptchaFailure (located under Web Interface | Status Lines)

3. Edit Web Pages

After the new customization keys have been configured, follow the instructions below to update your web pages and add the captcha requirement to NewUserRegistration.html and LendingNewUserRegistration.html:

The captcha requirement is only supported for use on the New User Registration forms (NewUserRegistration.html and LendingNewUserRegistration.html) and cannot be added to other ILLiad web forms, such as the default request forms.

Updating NewUserRegistration.html

  1. Visit the ILLiad Downloads page and download the latest version of the ILLiad 9.1/9.2 Default Web Pages
  2. Unzip the downloaded zip file containing the new web page files
  3. Navigate into the folder containing the new web page files
  4. Navigate into the templates subfolder
  5. Copy the captcha subfolder and add this entire folder as a new subfolder within the templates folder in your ILLiad web directory (in GitHub or at the default location on the ILLiad server: C:\inetpub\wwwroot\illiad). This folder contains the following files, please ensure that the entire folder containing these files is added to your web directory:
    • include_captcha_none.html
    • include_hcaptcha.html
    • include_mtcaptcha.html
    • include_recaptcha_v2_checkbox.html
    • include_recaptcha_v2_invisible.html
    • include_recaptcha_v3.html
  6. Locate and make the following changes to the NewUserRegistration.html file in your ILLiad web directory:

    Change this (default line 15):

    <form action="illiad.dll"   
    method="post" name="Registration">
     

    To this:

    <form action="illiad.dll" id="registration-form" 
    method="post" name="Registration">

    And change this (default line 283 [9.2]/282 [9.1]):

    <button class="btn btn-primary btn-md" 
    type="submit" name="SubmitButton"
    value="Submit Information">
    Submit Information</button>
     

    To this:

     
     
     
    <#CAPTCHA>
  7. Save your changes
  8. The captcha challenge requirement is now implemented on the New User Registration form. View and test the new captcha requirement on the form to ensure the integration has been properly configured.

Updating LendingNewUserRegistration.html

  1. Visit the ILLiad Downloads page and download the latest version of the ILLiad 9.1/9.2 Default Web Pages if you did not previously download them when updating NewUserRegistration.html using the steps in the section above.
  2. Unzip the downloaded zip file containing the new web page files
  3. Navigate into the folder containing the new web page files
  4. Navigate into the Lending subfolder
  5. Navigate into the templates subfolder
  6. Copy the captcha subfolder and add this entire folder as a new subfolder within the templates folder in your ILLiad Lending web directory (in GitHub or at the default location on the ILLiad server: C:\inetpub\wwwroot\illiad\Lending). This folder contains the following files, please ensure that the entire folder containing these files is added to your web directory:
    • include_captcha_none.html
    • include_hcaptcha.html
    • include_mtcaptcha.html
    • include_recaptcha_v2_checkbox.html
    • include_recaptcha_v2_invisible.html
    • include_recaptcha_v3.html
  7. Locate and make the following changes to the LendingNewUserRegistration.html file in your ILLiad web directory:

    Change this (default line 14):

    <form action="ILLiadLending.dll"   
    method="post" name="Registration">
     

    To this:

    <form action="ILLiadLending.dll" id="registration-form" 
    method="post" name="Registration">

    And change this (default line 197 [9.2]/198 [9.1]):

    <button class="btn btn-primary btn-md" 
    type="submit" name="SubmitButton"
    value="Submit Information">
    Submit Information</button>
     

    To this:

     
     
     
    <#CAPTCHA>
  8. Save your changes
  9. The captcha challenge requirement is now implemented on the Lending New User Registration form. View and test the new captcha requirement on the form to ensure the integration has been properly configured.

Option 2: Disable New User Registration for Accounts Using Basic ILLiad Authentication

This option should not be chosen if you want to continue to allow users to create ILLiad accounts through basic ILLiad authentication (ILLiadAuth) from the New User Registration form or if you only allow users to register for accounts through this process.

User registration can be completely disabled for accounts created through basic ILLiad authentication (ILLiadAuth) from the New User Registration form (NewUserRegistration.html) using the ILLiadAuthUserRegistrationEnabled customization key. This option will prevent the creation of spam accounts by completely blocking account creation for users who are not pre-authorized for an ILLiad account via an ILLiad Exclusive, LDAP, PatronAPI, SymphonyAPI, or Remote Authentication configuration.

After disabling user registration for new ILLiadAuth accounts, the New User Registration form will still be accessible to users on the web interface. However, when these users attempt to submit the form to register for a new account, the form will not be submitted and the SLUserRegistrationDisabled status line will display to indicate that user registration has been disabled and to contact staff for assistance.

When ILLiadAuth user registration is disabled, this will only disable self-registration for these users from the New User Registration form on the ILLiad web pages. Staff will still be able to manually create new user accounts from the ILLiad Client for these users, if necessary or preferred. 
Note: The ILLiadAuthUserRegistrationEnabled key will only enable/disable user registration from your production ILLiad web pages and will not affect your TestWeb web pages. After updating to ILLiad Web DLL/Lending Web DLL v9.2.3 (ILLiad 9.2) or Web DLL/Lending Web DLL v9.1.7 (ILLiad 9.1), users will not be able to register for an ILLiad account using any authentication type from the TestWeb pages by default. This option is not configurable. 

Configuration Steps

To use the ILLiadAuthUserRegistrationEnabled customization key to disable new user registration for accounts created via basic ILLiad authentication (ILLiadAuth):

  1. Open the ILLiad Customization Manager
  2. Navigate to the ILLiadAuthUserRegistrationEnabled customization key located under System | System
  3. Set the value of this key to No
  4. Click Save to save your changes
  5. User registration is now disabled for basic ILLiad accounts created through the New User Registration form
Note that users who are pre-authorized for account creation via an ILLiad Exclusive, LDAP, PatronAPI, SymphonyAPI or Remote Authentication (RemoteAuth) integration will not be affected by configuring the ILLiadAuthUserRegistrationEnabled key to disable new user registration. These users will continue to be permitted to create ILLiad accounts following the usual account creation process.

Questions?

If this article didn’t resolve your issue, please contact Atlas Support for assistance:

Contact Support