False Positives

One way to reliably trigger Botcha is to go back in browser history to the page that was already submitted and try submitting it again. Botcha detects form reuse, and the error message reflects that. Based on your error message (which has no mention of the condition), it does not seem to be the case, so it might be a real issue.

I need more information:
1. What forms did the false positive occurred on - is it only the registration form or other forms as well?
2. What other modules are enabled (especially security/protection types. e.g. your report mentions "Gmail address entered seems to be not accepted." - what module does that verification, as it certainly not Botcha)?
3. How frequent is the error - is it persistent and users were not able to get through, or did it happen only once for each user and retry was ok? What prompts you to set "Major" priority?
4. Set Botcha log level to the highest and collect log information for the error. What recipe is triggered? What test/reply conditions are detected?
5. Can you reproduce the problem?
6. Can you share the website URL? (private message is OK)

And as usual - do regular Drupal stuff: flush caches, review other issues in the queue.

Another thing to verify - is there a password manager installed in user's browser? Poorly implemented one may be screwing things up. See #2148059: False positives with Dashlane

This helps a lot. I will take a look hopefully over the weekend.

Lowering the priority as it seems that the error is not what's blocking the registration, but other validation errors must be made.

I tried with few different validation errors:

1. With no password entered, "Accept terms and conditions" unchecked. Response was:

Password field is required.
Accept Terms & Conditions of Use field is required.
You must be a human, not a spam bot, to submit forms on this website. If you insist that you are a human, please try again. If error persists, contact webmaster using contact link at the bottom of this page and give all the details of this error (your browser, version, OS).
Please enable Javascript to use this form.

2. With 6-letter password entered, "Accept terms and conditions" unchecked. Response was:

Accept Terms & Conditions of Use field is required.
The password is too short: it must be at least 8 characters.
Your email address or username or IP address is blacklisted.

3. With 8-letter password entered, "Accept terms and conditions" unchecked. Response was:

Accept Terms & Conditions of Use field is required.
You must be a human, not a spam bot, to submit forms on this website. If you insist that you are a human, please try again. If error persists, contact webmaster using contact link at the bottom of this page and give all the details of this error (your browser, version, OS).
Please enable Javascript to use this form.

Strange that case 2 did not trigger the error.

Can you post the items for Botcha from the log (enabling highest Botcha log level) for these cases?

Note to self / maintainers: It may be happening if form_get_errors() is used at any point in Botcha to check if validation failed... then other validation errors may trigger an unexpected message.

Thanks for the files. I reviewed and did not find anything to pinpoint the problem.
Please review other issues for obscure_url recipe - it seems to have some unresolved problems in x.x-3.x, so you may encounter the same issue here.
Another failure is timegate, which means "too quick" submission. You may want to adjust the threshold or remove it from the recipe if it causes problems.

I am getting false positive errors with botcha on the node edit form page.

It also shows this error message:

• You must be a human, not a spam bot, to submit forms on this website. If you insist that you are a human, please try again. If error persists, contact webmaster using contact link at the bottom of this page and give all the details of this error (your browser, version, OS).
• Form session reuse detected. An old form was submitted again, which may happen if it was retrieved from browser history using "Back" button.
• Please try again - fill all entries on this page without going "Back".
• EntityMetadataWrapperException: Invalid data value given. Be sure it matches the required data type and format. in EntityMetadataWrapper->set() (line 122 of /home/site/public_html/sites/all/modules/entity/includes/entity.wrapper.inc).

Hey there - thanks putting together a really useful module.

I also got an email about Botcha false positives from a first-time user trying to register on the site. I've messaged asking for more information, but in the meantime I had two BOTCHA events in my error log. Both were:

user_register_form post blocked by BOTCHA: submission looks like from a spambot.

Failed 4 of 5 recipes [honeypot, honeypot2, obscure_url, timegate] from "default" recipe book.

That user can't have a password manager yet, so she shouldn't have autocompleted any fields. You mentioned that clicking the back button after making one validation error might trigger Botcha, but the no-resubmit test seems to be the only one this user passed. Have you got an idea what's going on here, or is there any more information I can pass on to shed some light?

You might be able to get it working by creating a new recipe book and remove the obscure URL and also allow for resubmit. Remember to change which recipe book is being used on each individual form though. It might be a reasonable work around for now.

Taking out no-resubmit sounds like a plan!

My affected user very kindly got back in touch with more information:

Hmm, curious. I'm not using any password managers, and I see the same fields on a computer with add-ons (like RequestPolicy and RikaiChan) and a computer with nothing changed from a default Ubuntu install. That said, it *worked* on the computer without the extra add-ons installed.

I'm a bit confused as to how they could've failed honeypot, timegate, etc - I didn't manage replicate the bug on Firefox 29.0 & Ubuntu 13.10, they're I'm on Ubuntu 14.04 with Firefox 29.0. Anyone with a deeper understanding of the blocking mechanism got any clues for me to follow up on? :)

I can think of only one mechanism... The add-ons must have filled some of the hidden fields, and it tipped off Botcha.

That sounds really likely, yeah. I wonder, are there any legit reasons for this kind of tool to enter data into any fields with input type=hidden? If not, I wonder if they could patch their code and Botcha could stay as-is...?

Either way I'll see if about replicating this and making a more precisely worded issue thread this afternoon :)

This looks like it is at least in part a duplicate of https://drupal.org/node/1926150

Just throwing in my confirmation that this bug still exists. I'm getting it pretty frequently on a site where we're using LoginToboggan (and possibly some custom coding; I inherited this site, so I'm not 100% clear on how the login page works). There's a javascript function in place that allows us to switch between the login and register forms immediately without additional page loads, so that could be the source of the problem.

I don't have a lot of time right now, but I'll look deeper into this problem in the future and report back my findings.

Same issue as in #12. We also use Logintoboggan and we get a lot of false positives from users who are unable to register or reset their password, for example.

Double post.

I got this error while testing. Here's how to reproduce it:

1) Try registering a username that's already taken, which should trigger an error message saying that the username is already taken.
2) Then try registering a username that's not taken.

It was just a quick test, but I'm guessing that this awesome module might actually have room for a bit of improvement.

I am having the same issue except that it is only with the forms. I just started a fresh Forum using the core Drupal 7 forum and the Advanced Forum module. The only way to post on the form is to disable the botcha module. Is there anyway to fix to this problem other then disabling the botcha module?

This really sounds like it's a dup of #1926150: Resubmitting a failed form always fails with ObscureUrl enabled - feel free to reopen if there's evidence this is not the case.

Hi,

we are encountering this too with a freshly set up forum. Users with access permissions to post on the forum get exactly the misleasing error message. The false positive makes it impossible for any regular user to post on the forum. The only account not affected in user #1 and users with admin accounts.

This was reported by different users, running very different operating systems and browsers. I could replicate this behaviour by using the current Opera 53.0 on Ubuntu.

From what I can see, the issue we are encounting has nothing to do with resubmitting a failed form. It happens every time and when a form is submitted for the first time, so I am re-opening this issue.

Things we tried which did not work was to change the 'Recipe book' for 'forum_node_form' at ./admin/config/people/botcha/form. Tried unsuccessfully the settings "Default", "AJAX friendly" and "Forbidden forms" and "Recipe book: None". None of these settings allows forum users to post.

Currently looking for a workaround other than disabling Botcha. However, only after disabling the 'botcha' module the forum is usable for forum users.