Issues

ZF-4187: Captcha session expires on 1 global hop instead of 1 namespace hop

Description

I am not sure if this is the desired behaviour, but in version 1.6.0 captcha sessions expire after one global hop. This means that if for example we use captcha on comment field and some user opens 2 or more pages from our site - in his browser tabs for example, each page of these with some article and field for comment, secured with captcha. Only the last opened window will contain solvable captcha, all the others would have been expired.

Better solution is to make captcha sessions expire on 1 namespace hop, so in Zend/Captcha/Word.php on line 224 instead of

$this->_session->setExpirationHops(1); to be $this->_session->setExpirationHops(1, null, true);

Comments

We had identified this solution already, but not created a ticket for it; thanks for posting it.

This same solution will be utilized for the Hash element, btw.

Hi there. I also think that expiration hops may be added as and option to captcha. So we can call $captcha->setSessionExpirationHops(variable);

@Hristo Angelov:

Allowing more than 1 namespace hop would introduce security issues. Potential attacker can bypass captcha by solving it once and then using the same captcha ID (which will be still valid, because you have increased the expiration hops) with the found answer.

Fixed in trunk and 1.6 release branch; will releaes with 1.6.1