Anon user tracking

[jace]

Anon user tracking has been disabled for the past several months as it tested only for cookie acceptance, and was easily fooled by headless browsers that play back cookies.

A less easily fooled mechanism could:

1. Like CRSF, submit the verification code in both the cookie and the form. An anon user is created only if both match.
2. Remove this submission from the current embedded image tag, and make it an explicit call that is triggered by a browser scroll or mouse move event, or other such event that will not occur in a headless browser – and maybe after a reasonable waiting period, say 30 seconds, since headless browsers are likely to scrape data and move on.

These changes will prevent accidental creation of anonymous user accounts, but won't stop an intentional submission by a customised browser. A mechanism by which to do automatic recaptcha without the click is yet to be defined.

[jace]

Cloudflare has a form of this "automatic recaptcha" when it gates some users based on unusual access behaviour.

[iambibhas]

@jace if we move the anon user detection to JS based events, wont that make browsers with JS disabled a trouble?

[jace]

We don't support browsers without JS anyway. That era is over.