Zend Framework

Captcha session expires on 1 global hop instead of 1 namespace hop

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.6.0
  • Fix Version/s: 1.6.1
  • Component/s: Zend_Captcha
  • Labels:
    None
  • Fix Version Priority:
    Must Have

Description

I am not sure if this is the desired behaviour, but in version 1.6.0 captcha sessions expire after one global hop. This means that if for example we use captcha on comment field and some user opens 2 or more pages from our site - in his browser tabs for example, each page of these with some article and field for comment, secured with captcha. Only the last opened window will contain solvable captcha, all the others would have been expired.

Better solution is to make captcha sessions expire on 1 namespace hop, so in Zend/Captcha/Word.php on line 224 instead of

$this->_session->setExpirationHops(1);
to be
$this->_session->setExpirationHops(1, null, true);

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Matthew Weier O'Phinney added a comment -

We had identified this solution already, but not created a ticket for it; thanks for posting it.

This same solution will be utilized for the Hash element, btw.

Show
Matthew Weier O'Phinney added a comment - We had identified this solution already, but not created a ticket for it; thanks for posting it. This same solution will be utilized for the Hash element, btw.
Hide
Permalink
Hristo Angelov added a comment -

Hi there. I also think that expiration hops may be added as and option to captcha. So we can call $captcha->setSessionExpirationHops(variable);

Show
Hristo Angelov added a comment - Hi there. I also think that expiration hops may be added as and option to captcha. So we can call $captcha->setSessionExpirationHops(variable);
Hide
Permalink
Andrei Nikolov added a comment -

@Hristo Angelov:

Allowing more than 1 namespace hop would introduce security issues. Potential attacker can bypass captcha by solving it once and then using the same captcha ID (which will be still valid, because you have increased the expiration hops) with the found answer.

Show
Andrei Nikolov added a comment - @Hristo Angelov: Allowing more than 1 namespace hop would introduce security issues. Potential attacker can bypass captcha by solving it once and then using the same captcha ID (which will be still valid, because you have increased the expiration hops) with the found answer.
Hide
Permalink
Matthew Weier O'Phinney added a comment -

Fixed in trunk and 1.6 release branch; will releaes with 1.6.1

Show
Matthew Weier O'Phinney added a comment - Fixed in trunk and 1.6 release branch; will releaes with 1.6.1

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:

Time Tracking

Estimated:
15m
Original Estimate - 15 minutes
Remaining:
15m
Remaining Estimate - 15 minutes
Logged:
Not Specified
Time Spent - Not Specified
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.