Issue Type: Improvement Created: 2008-09-04T05:25:54.000+0000 Last Updated: 2008-09-10T09:39:19.000+0000 Status: Resolved Fix version(s): - 1.6.1 (15/Sep/08)
Reporter: Andrei Nikolov (viperx) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Captcha
Related issues: Attachments:
I am not sure if this is the desired behaviour, but in version 1.6.0 captcha sessions expire after one global hop. This means that if for example we use captcha on comment field and some user opens 2 or more pages from our site - in his browser tabs for example, each page of these with some article and field for comment, secured with captcha. Only the last opened window will contain solvable captcha, all the others would have been expired.
Better solution is to make captcha sessions expire on 1 namespace hop, so in Zend/Captcha/Word.php on line 224 instead of
$this->_session->setExpirationHops(1); to be $this->_session->setExpirationHops(1, null, true);
Posted by Matthew Weier O'Phinney (matthew) on 2008-09-04T06:24:54.000+0000
We had identified this solution already, but not created a ticket for it; thanks for posting it.
This same solution will be utilized for the Hash element, btw.
Posted by Hristo Angelov (hedonism) on 2008-09-05T00:48:30.000+0000
Hi there. I also think that expiration hops may be added as and option to captcha. So we can call $captcha->setSessionExpirationHops(variable);
Posted by Andrei Nikolov (viperx) on 2008-09-05T00:57:20.000+0000
Allowing more than 1 namespace hop would introduce security issues. Potential attacker can bypass captcha by solving it once and then using the same captcha ID (which will be still valid, because you have increased the expiration hops) with the found answer.
Posted by Matthew Weier O'Phinney (matthew) on 2008-09-10T09:39:19.000+0000
Fixed in trunk and 1.6 release branch; will releaes with 1.6.1
Have you found an issue?
See the Overview section for more details.