Getting a "CAPTCHA session reuse attack detected" error. [#2893656]

Users who are attempting to register on our website are getting a "CAPTCHA session reuse attack detected" error when submitting our registration form.

We have confirmed in our test environments that the captcha form is cached (same sid, same token) when the form is rendered AND we have reCaptcha set as the captcha_point which seems to be causing this issue. However, we can't find exactly how or where this form is being cached. We can confirm that when we turn on the math captcha instead the caching issue does not happen.

We've done some cursory code exploration and see that the captcha module does some cache breaking stuff when generating the captcha that the reCaptcha module doesn't do, is that the problem? Anyone seen this before?

Comment	File	Size	Author
#17	2893656-9.patch	833 bytes	Tushar1
#17
#8	2893656-8.patch	531 bytes	finne
#8	8.x-2.x: PHP 7 & MySQL 5.5, D8.6 4 pass
#3	recaptcha_caching-2893656-3.patch	337 bytes	ben.denham
#3	8.x-2.x: PHP 7 & MySQL 5.5, D8.6 4 pass PHP 5.5 & MySQL 5.5, D8.6 4 pass PHP 5.5 & PostgreSQL 9.1, D8.6 4 pass PHP 5.5 & SQLite 3.8, D8.6 4 pass PHP 5.6 & MySQL 5.5, D8.6 4 pass PHP 7 & PostgreSQL 9.1, D8.6 4 pass PHP 7 & SQLite 3.14, D8.6 4 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

10 July 2017 at 21:33

scrumorg created an issue. See original summary.

Comment #2

hass CreditAttribution: hass commented 11 July 2017 at 19:51

Status:

Active

» Closed (cannot reproduce)

Comment #3

ben.denham CreditAttribution: ben.denham at Catalyst IT commented 28 July 2017 at 02:10

Status:

Closed (cannot reproduce)

» Needs review

File	Size
recaptcha_caching-2893656-3.patch	337 bytes
8.x-2.x: PHP 7 & MySQL 5.5, D8.6 4 pass PHP 5.5 & MySQL 5.5, D8.6 4 pass PHP 5.5 & PostgreSQL 9.1, D8.6 4 pass PHP 5.5 & SQLite 3.8, D8.6 4 pass PHP 5.6 & MySQL 5.5, D8.6 4 pass PHP 7 & PostgreSQL 9.1, D8.6 4 pass PHP 7 & SQLite 3.14, D8.6 4 pass

I experienced the same issue, and applying the caching configuration that is used for captcha elements in the Captcha module seems to solve the problem.

Patch provided for further testing.

Comment #4

albertski CreditAttribution: albertski at Xeno Media, Inc. commented 19 October 2017 at 20:46

Status:

Needs review

» Reviewed & tested by the community

Ran into the same issue. Verified that this fixed the issues and the patch looks good.

Comment #5

hass CreditAttribution: hass commented 23 October 2017 at 19:54

Status:	Reviewed & tested by the community	» Needs work
Issue tags:		+Needs tests

Comment #6

pcorbett CreditAttribution: pcorbett at Redfin Solutions, LLC commented 10 January 2018 at 18:42

It appears as though this has already been included in 8.x-2.2 -- not positive as line numbers have changed since the patch included above.

Comment #7

finne

Dutch

Amsterdam

CreditAttribution: finne at Dx Experts commented 20 March 2018 at 09:06

We are getting the same issue on our user login form. I' going to try the patch and see if it helps. Setting the cache max age to 0 is necessary for the captcha module I think.

Comment #8

finne

Dutch

Amsterdam

CreditAttribution: finne at Dx Experts commented 20 March 2018 at 09:25

File	Size
2893656-8.patch	531 bytes
8.x-2.x: PHP 7 & MySQL 5.5, D8.6 4 pass

Here is a patch that applies the max-age and the cache killswitch, just as it is used in the captcha module image and math captchas. How would you go about testing this? Test that the resulting page is not cached, I guess?

Comment #9

finne

Dutch

Amsterdam

CreditAttribution: finne at Dx Experts commented 20 March 2018 at 09:29

Assigned:

Unassigned

» finne

Comment #10

finne

Dutch

Amsterdam

CreditAttribution: finne at Dx Experts commented 20 March 2018 at 10:01

Status:

Needs work

» Needs review

Comment #11

ruudvanoijen CreditAttribution: ruudvanoijen commented 20 March 2018 at 12:25

I've tested the last patch. The test I have used was on the user login page.
The kill switch seems to prevent it from caching.
According to the documentation. https://www.drupal.org/docs/8/api/cache-api/cache-max-age
That property can prevent the browser from caching. But Drupal can still cache page's without using the kill switch.

So all it needs now is unit tests.

Comment #12

hass CreditAttribution: hass commented 20 March 2018 at 20:55

But #2219993: Enable cacheable captcha support (once 2449209 is committed) implements a full cached version of recaptcha...

Comment #13

finne

Dutch

Amsterdam

CreditAttribution: finne at Dx Experts commented 21 March 2018 at 09:08

That sounds good (I'm all for caching more in drupal), but until that is comitted you might need this patch to make sure the current situation works without errors. This patch should definitely not be the focus of major efforts going forward. Enabling caching is a much better solution. So let's help to get 2449209 fixed first.