Users who are attempting to register on our website are getting a "CAPTCHA session reuse attack detected" error when submitting our registration form.
We have confirmed in our test environments that the captcha form is cached (same sid, same token) when the form is rendered AND we have reCaptcha set as the captcha_point which seems to be causing this issue. However, we can't find exactly how or where this form is being cached. We can confirm that when we turn on the math captcha instead the caching issue does not happen.
We've done some cursory code exploration and see that the captcha module does some cache breaking stuff when generating the captcha that the reCaptcha module doesn't do, is that the problem? Anyone seen this before?
Comment | File | Size | Author |
---|---|---|---|
#17 | 2893656-9.patch | 833 bytes | Tushar1 |
#8 | 2893656-8.patch | 531 bytes | finne |
| |||
#3 | recaptcha_caching-2893656-3.patch | 337 bytes | ben.denham |
Comments
Comment #2
hass CreditAttribution: hass commentedComment #3
ben.denham CreditAttribution: ben.denham at Catalyst IT commentedI experienced the same issue, and applying the caching configuration that is used for captcha elements in the Captcha module seems to solve the problem.
Patch provided for further testing.
Comment #4
albertski CreditAttribution: albertski at Xeno Media, Inc. commentedRan into the same issue. Verified that this fixed the issues and the patch looks good.
Comment #5
hass CreditAttribution: hass commentedComment #6
pcorbett CreditAttribution: pcorbett at Redfin Solutions, LLC commentedIt appears as though this has already been included in 8.x-2.2 -- not positive as line numbers have changed since the patch included above.
Comment #7
finneWe are getting the same issue on our user login form. I' going to try the patch and see if it helps. Setting the cache max age to 0 is necessary for the captcha module I think.
Comment #8
finneHere is a patch that applies the max-age and the cache killswitch, just as it is used in the captcha module image and math captchas. How would you go about testing this? Test that the resulting page is not cached, I guess?
Comment #9
finneComment #10
finneComment #11
ruudvanoijen CreditAttribution: ruudvanoijen commentedI've tested the last patch. The test I have used was on the user login page.
The kill switch seems to prevent it from caching.
According to the documentation. https://www.drupal.org/docs/8/api/cache-api/cache-max-age
That property can prevent the browser from caching. But Drupal can still cache page's without using the kill switch.
So all it needs now is unit tests.
Comment #12
hass CreditAttribution: hass commentedBut #2219993: Enable cacheable captcha support (once 2449209 is committed) implements a full cached version of recaptcha...
Comment #13
finneThat sounds good (I'm all for caching more in drupal), but until that is comitted you might need this patch to make sure the current situation works without errors. This patch should definitely not be the focus of major efforts going forward. Enabling caching is a much better solution. So let's help to get 2449209 fixed first.
Comment #14
dandaman CreditAttribution: dandaman commentedThis patch seems to resolve the issue for me. If I have some time, I will try to add some tests to it, but don't hold your breath.
Comment #15
hass CreditAttribution: hass commentedPlease retest with latest captcha DEV as #2974083: Port to D8: support for cacheable captcha (recaptcha) has been committed and should solve this problem.
Comment #16
MiroslavBanov CreditAttribution: MiroslavBanov as a volunteer and at FFW commented@hass
I think you also need the patch from #2219993: Enable cacheable captcha support (once 2449209 is committed) to suppress the error message.
Comment #17
Tushar1 CreditAttribution: Tushar1 at TATA Consultancy Services for Pfizer, Inc. commentedPatch #9 applied on latest version 3.x-dev
Comment #18
Rafael Maito CreditAttribution: Rafael Maito at Zoocha commentedThe issue still happening, but applying the patch #17 resolved the issue.