Searched hist:a285df67bba92c0e515b79f89013d7edbd478251 (Results 1 – 1 of 1) sorted by relevance
| /plugin/captcha/ |
| H A D | helper.php | a285df67bba92c0e515b79f89013d7edbd478251 Wed Feb 01 18:15:29 UTC 2017 Andreas Gohr <andi@splitbrain.org> implement "cookies" against replay attacks
The CAPTCHA plugin tried to be stateless. No cookie related information
was stored on the server (eg. in the session). Instead encryption of
available information was used to ensure captcha codes couldn't be
faked. To avoid replay attacks the plugin relied on the last change date
of the current page. When a captcha was filled in correctly a page edit
was allowed and the next captcha would use different encryption. However
this does not work where the captcha is used independently from a page
edit. Eg. for logins or comments.
To fix this some data has to be stored server side. Most captchas simply
store the code in the session of the user. This has two disadvantages:
1) only one code can be used, which makes having multiple tabs with
editing sessions a pain
2) the session must be open for writing when the captcha is displayed
and checked
This change implements a different approach. For each displayed captcha
a "cookie" (a 0 byte file) is stored in the tmp directory. When a
captcha is checked, the cookie is removed again. This way each captcha
can only be used once.
Cleaning up the tmp directory is still missing and comes in a second
commit.
|