I have a site that will have the 'CAPTCHA session reuse attack detected.' message displayed when displaying the user registration page with recaptcha installed. I know this error is coming from the captcha module, but this error does not happen when using standard captcha, only when using recaptcha. I can verify this issue on a clean Drupal 7.26 with the recaptcha module on and caching turned on:
Steps to Reproduce
- Install Drupal 7.26
- Install recaptcha module (and captcha module)
- Add recaptcha to the registration page
- Go to the registration page as an anonymous user
- Reload the page, then look at the headers and you will see "X-Drupal-Cache: HIT, and the CAPTCHA session ID will be the same as first page load."
This same issue will not show up if you are using captcha, you can turn off an put a default captcha math image on the page and the page will not be cached.
Comment | File | Size | Author |
---|---|---|---|
#54 | recaptcha-noncacheable-2219993-54.patch | 836 bytes | hswong3i |
#35 | recaptcha-cacheable-8.x-2219993-35.patch | 565 bytes | MiroslavBanov |
#12 | recaptcha-cacheable-2219993-1.patch | 560 bytes | Fabianx |
Comments
Comment #1
Liam MorlandThanks for the report. What is probably needed is something to ensure that reCAPTCHA pages are never cached. It would help to look at how the math CAPTCHA does it.
Comment #2
ShaneOnABike CreditAttribution: ShaneOnABike commentedI'm changing the status of this one as I think its fairly important to scale up. It's not the greatest to get the feeling that there is a possiblity for attacks on our sites using reCaptcha
Comment #3
Liam MorlandThe CAPTCHA session reuse attack is just a way of getting around the CAPTCHA. It doesn't open the site up to other attacks.
Comment #4
Jedd Casella CreditAttribution: Jedd Casella commentedWouldn't turning off "Cache pages for anonymous users" @ admin/config/development/performance mitigate this issue ?
Comment #5
Liam Morland@Jedd Casella: Yes, I expect that would solve the problem.
Comment #6
MiroslavBanov CreditAttribution: MiroslavBanov commentedHere is an issue in Captcha module to try to get reCAPTCHA+caching to work: #2449209: Add support for cacheable captcha's (recaptcha). This can be fixed in either of the two modules, so I am thinking both issues should be kept open.
Comment #7
Liam MorlandComment #8
hass CreditAttribution: hass commentedIs this a dupe of the fix http://drupalcode.org/project/recaptcha.git/commit/071f79c ?
Comment #9
MiroslavBanov CreditAttribution: MiroslavBanov commentedNo, because the fix is applied, and the problem persists.
Comment #10
Liam MorlandThis may be been resolved by #1395184: Forms with AJAX trigger "CAPTCHA session reuse attack detected." error. Please verify that the problem still happens.
Comment #11
hass CreditAttribution: hass commentedComment #12
Fabianx CreditAttribution: Fabianx at Tag1 Consulting commentedI implemented proper support for recaptcha on cached pages.
This patch will only do something once #2449209: Add support for cacheable captcha's (recaptcha) is committed. Still posting it now, so I can apply the patch for a client.
It however can be applied at any time.
Comment #13
Fabianx CreditAttribution: Fabianx at Tag1 Consulting commentedComment #14
hass CreditAttribution: hass commentedComment #15
plachLooks good and works well, feel free to move this to RTBC once the dependency is committed.
Comment #16
MiroslavBanov CreditAttribution: MiroslavBanov commentedI guess this is now for v2.
Comment #17
hass CreditAttribution: hass commentedComment #18
MiroslavBanov CreditAttribution: MiroslavBanov commentedDependency is committed. Should we RTBC based on #15?
Comment #19
plachYep :)
Comment #20
Fabianx CreditAttribution: Fabianx at Tag1 Consulting commented+1 for RTBC
Comment #21
gg4 CreditAttribution: gg4 commented+1 or is there anything else blocking this?
Comment #22
hass CreditAttribution: hass commentedComment #23
Fabianx CreditAttribution: Fabianx at Tag1 Consulting commented#22:
1. It depends on how captcha / recaptcha are implemented in Drupal 8.
2. No, idea, but the only effect is that it will continue to disable the page cache as now if the old captcha version is used.
The setting of the property has no effect if an older captcha version is used (as that property did not exist back then), so this is safe to commit whenever.
Maybe add a comment to the release notes:
Or something like that.
But in general this can go in without any risk:
- For older captcha versions: Nothing happens.
- For newer captcha versions: It works.
No other effects.
Comment #24
hass CreditAttribution: hass commentedI'm not aware there is a difference to D7 and captcha module also disables the cache on captcha enabled pages.
Comment #25
Fabianx CreditAttribution: Fabianx at Tag1 Consulting commentedI guess eventually that patch will be ported to 8.x then. It might be the same or rely on e.g. placeholdering to at least have dynamic_page_cache enabled.
In any case it will probably be different than the patch here, so I would suggest to get this in and postpone an 8.x issue on a potential upstream update for 8.x?
Comment #26
hass CreditAttribution: hass commentedThat would mean we are running into a regression. We should first fix D8, than backport.
Comment #27
MiroslavBanov CreditAttribution: MiroslavBanov commented@fabianx (#25)
8.x is already benefiting from dynamic_page_cache without any patches. If the patches are ported, the end result should be full page cache.
@hass (#26)
Captcha maintainer already merged the patch in D7. Why not apply the recaptcha patch? There is no reason why the patches can't be ported to D8, but delaying the D7 merge is not going to make this faster in my opinion.
Comment #28
hass CreditAttribution: hass commentedi think the rules are simple. We fix latest drupal, than backport. Otherwise fixes will never go into current versions, but only past.
I‘d really like to commit this asap, but we need to make sure we are not running into a regression. If nobody in here is interrested in D8, we will not see a D8 patch in next century. So, i make this a requirement for the D7 patch to get things done. Very simple.
Comment #29
hass CreditAttribution: hass commentedThere is another case #2893656: Getting a "CAPTCHA session reuse attack detected" error. that shows a bug if recaptcha is cached in D8. I guess we will see the same bug once this patch is committed. Aside of this bug the recaptcha seems to be cached in D8. So we do not need to write code for D8 to implement caching, but we need to figure out why the session reuse attack detected.
Comment #30
hass CreditAttribution: hass commentedComment #31
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedI did some research on this. I said in #27 that "8.x is already benefiting from dynamic_page_cache without any patches". That's not correct at all.
In 8.x image captcha and math captha do not benefit from dynamic_page_cache or full page_cache. It is possible that they can be made to benefit from dynamic_page_cache, but I have no idea how. Full page_cache shouldn't be possible because of how the module relies on the so called "captcha session" that it must create for each individual captcha challenge and store in mysql database.
This is how the caching is disabled in general:
In 8.x recaptcha already does benefit from full page_cache and it is working correctly in the sense that it is not preventing caching of the page, it is validating the challenge correctly, and it has a different challenge for each visit of the page. The only problem is that captcha module really likes to send the totally useless "CAPTCHA session reuse attack detected" message. The related issue #2893656-8: Getting a "CAPTCHA session reuse attack detected" error. currently has patches that fix the message by disabling cache. That's not ideal.
Comment #32
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedI ported the solution to D8. The captcha path is in #2974083: Port to D8: support for cacheable captcha (recaptcha). Adding the recaptcha patch here. The D7 is still RTBC. D8 needs review I guess.
Comment #33
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedComment #35
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedBot seems to be testing in D7. Re-uploading.
Comment #36
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedComment #38
Fabianx CreditAttribution: Fabianx at Tag1 Consulting commentedRTBC, but we are back waiting on upstream for 8.x
Comment #40
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedFailing test is irrelevant.
Comment #41
hass CreditAttribution: hass commentedFailing patches cannot committed.
Comment #42
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedThe failing test is not caused by the patch. It fails in all other d8 issues as well.
Comment #43
hass CreditAttribution: hass commentedRetesting as https://www.drupal.org/node/147903/qa is all green. Maybe a bot issue.
Comment #44
hass CreditAttribution: hass commentedComment #46
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedLast test in https://www.drupal.org/node/147903/qa is from 8th of March. Maybe it would fail if it runs now?
Comment #47
hass CreditAttribution: hass commentedHow can we test with an automated test if the caching works?
Comment #50
hass CreditAttribution: hass commentedComment #51
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commentedCaching worked for d8 before this patch. It's just that the error was displayed, and it needed to be suppressed.
How can we test that a page is cached? Make an http request to a page with a form. Inspect the headers. There should be a header such as
Cache-Control: public, max-age=1800
.It's a bit harder to test for the message, because it appeared the second time that the same cached form was submitted. And also - we would need to solve the recaptcha somehow.
Comment #52
hass CreditAttribution: hass commentedHopefully it never fails.
Comment #54
hswong3i CreditAttribution: hswong3i commentedSorry that I keep facing below error message (e.g. at
/user/login
):Most likely #2893656-8: Getting a "CAPTCHA session reuse attack detected" error. related issue, and so backport changes as below:
Hopefully this fix the problem :-(
Comment #55
khiminrm CreditAttribution: khiminrm at Lemberg Solutions commentedHi! I've faced with same error, only on '/user/register' page. I use recaptcha 8.x-2.4 and last dev version of captcha module.
In headers I see X-Drupal-Cache: HIT.
Flushing of Drupal's cache fixes errors, but I'm not sure how it can be reproduced.
We don't use any additional caching on the site.
Any thoughts? Thanks!
Comment #56
khiminrm CreditAttribution: khiminrm at Lemberg Solutions commentedI see that patch from #54 isn't committed. Should we reopen this issue?
Comment #57
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commented@56
Patch #54 actually disables caching so it doesn't match the title of this issue very well. I don't think this issue should be reopened again as it's too big and has too many different considerations to it. I believe a new issue is better.
Comment #58
FiNeX CreditAttribution: FiNeX as a volunteer commentedI'm also having the same error. The webform is embedded on a field, maybe this could be a problem?
Comment #59
jigariusI am using the contact_block module and I have placed a contact form on my contact page. The contact form has a captcha on it and I get the "captcha session reuse attack detected error". It'll be great to have a fix. For now, I'm going to disable the captcha even though it'll make me very sad to do so.