Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
You're supporting to select the following forms explicitly:
- General Forms
- User Registration form
- User Password Reset form
- Node Forms
- Forum topic node form
- Article node form
- Basic page node form
- Comment Forms
- Forum topic comment form
- Article comment form
- Basic page comment form
On one of my sites I see continuous malicious log in attempts using a limited set of user names, and this makes me wish I could protect the Login form on the "user" path as well.
Comment | File | Size | Author |
---|---|---|---|
#30 | 2469371-add-user_login-protection-1.patch | 1.09 KB | SocialNicheGuru |
#24 | interdiff.2469371.20-24.txt | 1.49 KB | esteban.arias |
#24 | 2469371-24.honeypot.Add-the-option-to-protect-the-login-form.patch | 1.06 KB | esteban.arias |
| |||
#21 | 2469371-21.patch | 823 bytes | vijaycs85 |
| |||
#11 | honeypot_protect_login_forms-v1.png | 316.6 KB | Francewhoa |
Comments
Comment #1
salvisSorry, wrong project -- move to the right one.
Comment #2
salvisHere's the patch.
Comment #3
geerlingguy CreditAttribution: geerlingguy commentedDoes this also apply to the user login form in the login block as well? For some reason, I'm remembering that form had a different form ID than the normal user login form... but I could be mistaken.
Comment #4
salvisYou're right, we should get both.
BTW, why are you excluding
if Protect all forms with Honeypot is selected?
Comment #5
salvisComment #6
markdorisonThe patch in #4 works as expected.
Comment #7
judapriestHello !
I'm currently testing the patch. But could someone have an answer to #4 Salvis question ?
Thanks in advance ;)
Comment #8
FrancewhoaConfirming patch works when honeypot is enabled on "User Login form" "User Login block". Yayaya. Thanks salvis and all :)
There is one bug though. Steps to reproduce:
admin/config/content/honeypot
admin/config/content/honeypot
/user
page. It's not added to "User Login form" and "User Login block" forms. Expected result is that it should. Because user checked "Protect all forms with Honeypot" option.Note: The above bug can only be reproduce in that specific order and exact steps. If user checked both "User Login form" and "User Login block" forms. Then save. Then user go back and checked "Honeypot Enabled Forms". Then save. That bug can't be reproduce.
If this is not a bug but by design feel really free to set this ticket back to "needs review". We're assuming that bug is related to the above comment 4.
Patch tested with
Same here. Many of our websites also receive large number of spam bots and spammers on their user log-in forms and blocks.
Comment #9
FrancewhoaAbout comment 4. I'll let geerlingguy or someone else answer that good question.
I suggest to remove 'user_login' and 'user_login_block' from the 'unprotected_forms'
If 'user_login' and 'user_login_block' where added to the 'unprotected_forms' because of a concern of user(s) or the admin locking themselves out of the website this is a very low risk because human would not willingly put anything into the hidden honeypot field. Robots will happily do that though, LOL ;)
One of the benefit of removing 'user_login' and 'user_login_block' from the 'unprotected_forms' is that it would significantly reduce the number of robot spammers accessing user's private information. Many site hide their user profile, email, contact information from anonymous users. But on users' request show that information to logged-in users. Many robot spammers who can get pass the log-in form abuse that. Remove 'user_login' and 'user_login_block' from the 'unprotected_forms' would reduce those abuses.
Comment #10
geerlingguy CreditAttribution: geerlingguy commentedIf spammers are able to hack your site login form to bypass user login and view private user profile information, then that's something that Honeypot won't be able to help with.
The primary reason why those forms are in
unprotected_forms
is that they are filled out by password managers in < 1 second, so if Honeypot and timestamp protection were enabled on those forms, they would break common login behavior and make users frustrated at their inability to login.Also, consider this—visit a few sites where you log in manually and check to see how long it takes to enter your credentials. If it's < 5 seconds, would you like to have to wait 15+ seconds to log into that site? Likely not. The user login form should not need spam prevention, because Drupal's built-in failed login flood limiting should take hold after 5 failed attempts, and if users have bad passwords that allow spammers to easily impersonate them, you should look into using Password Policy.
This module's number one goal, besides spam prevention, is to not punish the user. Therefore I'm amenable to adding an option to allow admins to explicitly protect the login form... but there's no way I'd protect it if someone checks the all forms checkbox, because for most sites I work on, that makes the user experience worse.
Honeypot is not a security-related module, just for spam prevention. User login form hacks are security-related and I've never seen a situation where spammers can use the login form to spam a site... See Login blocked after 5 failed login attempts for a discussion on flood control.
Comment #11
FrancewhoaThanks for your reply geerlingguy :) Make sense about the password managers. I agree.
To protect login forms against spam abuse. How about adding the following option?
Honeypot time limit on "User Login form" and "User Login block" only.
Suggested user interface
I suggest that by default the
seconds on "User Login form" and "User Login block" only
be set to zero/0. So there would be no change in behavior for current users of honeypot. But if some users want to they could enable the spam protection for login forms with optional time in seconds.In our case we would enable it and set it to zero. We have many large sites that badly need spam protection on login forms. As you know most spam robots would filled out the hidden honeypot field on login forms. While at the same time password managers could work.
Suggested user interface in text version
Comment #12
webel CreditAttribution: webel as a volunteer commentedWould like to have for D8 version. Not selectable under config page. YAML export has login form disabled.
BTW none of the other modules that can help protect login forms this way are working at the moment against latest D8. Spamicide crashes on configuration attempt. The others don't have D8 yet. And the current D8 Image Captcha is not easily configurable and has very crude obfuscation compared with the D7 version.
Therefore honeypot for login form is high on my wish list.
Comment #13
kalistos CreditAttribution: kalistos commentedPatch for 8.x-1.x version
Comment #14
kalistos CreditAttribution: kalistos commentedI forgot to add variable to config install.
Comment #15
kalistos CreditAttribution: kalistos commentedLast fix :)
Comment #16
geerlingguy CreditAttribution: geerlingguy commentedWouldn't we need to do a hook_update_N() hook to update the
unprotected_forms
config on existing sites? (And to add the new default for form_settings)?Comment #17
grahamvalue CreditAttribution: grahamvalue commentedHello,
The current 7.x version does not seem to have the option to protect login forms.
Does this require the patch to work on 7.x?
Thanks!
Comment #18
geerlingguy CreditAttribution: geerlingguy commented@serenitystocks - Yes, you would need the patch. I'm still leery of adding login form support because of the issues stated earlier in this thread, but as a non-default, it may be supported soon.
Comment #19
geerlingguy CreditAttribution: geerlingguy commentedComment #20
santhosh.fernando CreditAttribution: santhosh.fernando as a volunteer commentedUpdating the patch with the latest one.
Comment #21
vijaycs85Updated patch for 7.x
Comment #22
geek-merlinI think 7 comes when 8 is fixed.
Comment #23
esteban.arias CreditAttribution: esteban.arias as a volunteer commentedI can confirm that the D7 patch posted by Vijay works in my local Drupal sites. Anyone ese can review this to vouch for this implementation?
Comment #24
esteban.arias CreditAttribution: esteban.arias as a volunteer commentedDue to changes on the contributed module development version, I am updating the patch files for D8 on this issue to be compatible with the latest changes.
Comment #25
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedI think captcha also offers this option fwiw. I also agree it should default to not be enabled for login forms, but having it as an easy to enable option would be nice.
This needs an upgrade path for existing sites. The upgrade path should set the default value of
form_settings
user_pass
tofalse
if it was before included on theunprotected_forms
array. Right now on installation it is set to false onform_settings
, but people could've removed it from theunprotected_forms
and then this needs to be updated if I'm reading this correctly.I believe the form_id is
user_pass
Comment #26
TR CreditAttribution: TR commentedNew features need to be put into the current branch first, which is 2.0.x.
Comment #27
TR CreditAttribution: TR commentedComment #28
SocialNicheGuru CreditAttribution: SocialNicheGuru commented(delete comment)
do not use this patch
Comment #29
SocialNicheGuru CreditAttribution: SocialNicheGuru commenteddo not use this patch
Comment #30
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedComment #31
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedIf you have a distribution like Social, the form Id for the user/login page might be different:
id="social-user-login-form"
Comment #32
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedHow would one manually test this?
Comment #33
TR CreditAttribution: TR commentedAt a minimum, we need test cases for this. HoneypotFormTest already explicitly tests that the user_login_form is not protected, so that test should be expanded to also toggle the protection then test that it becomes protected. That will ensure the feature continues to work properly.
You can see from the test result that HoneypotFormTest actually fails with this patch, because what you have done is to change the default for that form from unprotected to protected. That should not be done, as mentioned above - the default should remain as unprotected. That way HoneypotFormTest will continue to work and can be expanded to cover turning on the option to protect that form.
Also,
+ '#title' => t('User Login form'),
needs to use$this->t()
.