Experimental Project

This is a sandbox project, which contains experimental code for developer use only.

Fixes "CAPTCHA session reuse attack detected" messages on certain AJAX-submitted fields (currently the File module's Upload field).

When AJAX-enabled forms submit fields (such as the File module's AJAX Upload button), the form is rebuilt and the CAPTCHA component marks the ID of the CAPTCHA input on the form as having been used. This module prevents the CAPTCHA component from being rendered (on the server side - it's never seen by site visitors anyway) for the AJAX form submission's rebuild process.

In more detail, the problem flow is:

  1. Clicking "Upload" on the file field on the form issues an AJAX POST against the endpoint "file/ajax".
  2. "file/ajax" is a menu_router item in Drupal, which invokes the page callback file_ajax_upload()
  3. file_ajax_upload() calls drupal_process_form()
  4. drupal_process_form() calls form_builder()
  5. form_builder() calls _form_builder_handle_input_element(), which attempts to assign values to the form's components. My fix inserts itself here.
  6. form_builder() then checks some flags and calls captcha_element_process().
  7. captcha_element_process() always updates the table {captcha_sessions}, burning the session (CSID) on the form in the user's actual browser (since their version of the form won't update once the AJAX file upload callback returns).

Currently only the File module's Upload field is supported, but future support should be easy to implement. File a Support Request issue in this module's queue with the module and field you would like supported, and I'll add it as quickly as possible.


Follow the instructions at Installing sandbox projects to get the code, then follow the standard instructions for Installing modules and themes to install the module. No configuration is necessary.

Project Information