ZF-4187: Captcha session expires on 1 global hop instead of 1 namespace hop

Issue Type: Improvement Created: 2008-09-04T05:25:54.000+0000 Last Updated: 2008-09-10T09:39:19.000+0000 Status: Resolved Fix version(s): - 1.6.1 (15/Sep/08)

Reporter: Andrei Nikolov (viperx) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Captcha

Related issues: Attachments:


I am not sure if this is the desired behaviour, but in version 1.6.0 captcha sessions expire after one global hop. This means that if for example we use captcha on comment field and some user opens 2 or more pages from our site - in his browser tabs for example, each page of these with some article and field for comment, secured with captcha. Only the last opened window will contain solvable captcha, all the others would have been expired.

Better solution is to make captcha sessions expire on 1 namespace hop, so in Zend/Captcha/Word.php on line 224 instead of

$this->_session->setExpirationHops(1); to be $this->_session->setExpirationHops(1, null, true);


Posted by Matthew Weier O'Phinney (matthew) on 2008-09-04T06:24:54.000+0000

We had identified this solution already, but not created a ticket for it; thanks for posting it.

This same solution will be utilized for the Hash element, btw.

Posted by Hristo Angelov (hedonism) on 2008-09-05T00:48:30.000+0000

Hi there. I also think that expiration hops may be added as and option to captcha. So we can call $captcha->setSessionExpirationHops(variable);

Posted by Andrei Nikolov (viperx) on 2008-09-05T00:57:20.000+0000

@Hristo Angelov:

Allowing more than 1 namespace hop would introduce security issues. Potential attacker can bypass captcha by solving it once and then using the same captcha ID (which will be still valid, because you have increased the expiration hops) with the found answer.

Posted by Matthew Weier O'Phinney (matthew) on 2008-09-10T09:39:19.000+0000

Fixed in trunk and 1.6 release branch; will releaes with 1.6.1

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.