We are having huge spam attacks on our website so I am planning to use captcha on our site whenever I see more spam hits.
But I am wondering how to handle ajax requests? The browser internally makes some ajax calls to tomcat server. But I can't throw captcha to these ajax requests as they are originated from browser (via js). So if I exclude ajax requests from the captcha check, then still our website is open to spammers through ajax calls.
Please suggest what approach I should to effectively handle ajax calls also.
Ask user once to enter CAPTCHA at the very beginning. Store the successful result in an HTTP session. Then every single call (AJAX or not) should check whether CAPTCHA test was performed.