1 (edited by NettiCat 2009-10-06 20:08)

Topic: Pun_AntiSpam: Always invalid captcha code if cookies are disabled

If you disable browser cookies completely, AntiSpam will deny even correct captcha code input.

No hint is given on the problem, at least it should say something like:
"Cannot verify code, please enable cookies." -  instead of the misleading "Invalid code" message.

I have quite a lot fairly paranoid users on my site, with generally cookies and script disabled. They could not post. Now I quickly fixed the error message and I also tried to debug the issue myself but I might need some professional help(?)

Re: Pun_AntiSpam: Always invalid captcha code if cookies are disabled

I wonder how forum can functioning at all with cookies disabled. A user can't login if cookies are disabled.

Though you are right: there must be a message about cookies.

What kind of professional help do you heed?

3 (edited by NettiCat 2009-10-07 06:42)

Re: Pun_AntiSpam: Always invalid captcha code if cookies are disabled

Parpalak wrote:

I wonder how forum can functioning at all with cookies disabled. A user can't login if cookies are disabled.

Why should a user want to login? All my users are guests. Forum registration is disabled and it is not needed because the guests have all necessary rights. For example in my bug-report-forum they are allowed to post topics which I try to answer. However,  guests are required to solve a captcha on every post.

I know that many users consider the register procedure as a burden, especially if email is required, some won't even try to post. I hope my answer gives you new insights in the usage of your software, but I wonder that you did not consider it could be used that way.



Parpalak wrote:

What kind of professional help do you heed?

What I was trying to do is to provide an alternate way of captcha verification, a way without using cookies, using an URL parameter to transmit the session-ID (in order to recreate the session variable after submit). I know there are general security concerns regarding URL-session-ID's but in this case it does not apply since it is used for guest status only.

I changed PHP INI to support trans_sid. Recreating a session variable after being submitted from another PHP file worked fine in my test environment. However, there were problems using the same procedure in PunBB/pun_antispam.

For a first test I modified form-action in post.php to:
action="<?php echo 'post.php?fid=3' ?>&<?php echo strip_tags(SID); ?>"
... to use a relative path (needed for URL-SID) and to add the SID as parameter (in forms PHP does not add it automatically).

In the the po_end_validation hook (manifest.xml of pun_antispam) the session variable $_SESSION['pun_antispam_text'] should have been recreated directly after the session_start() instruction.
This unfortunately did not happen (SID was transferred successfully via URL), it was still empty, although the same procedure worked properly in my test with two simple PHP files. Any help appreciated.

Re: Pun_AntiSpam: Always invalid captcha code if cookies are disabled

Please, look at user notes here: http://php.net/manual/en/session.idpassing.php
Maybe your issue is the same.

We can include your fix (session id in URL) in pun_antispam if it works fine.

Re: Pun_AntiSpam: Always invalid captcha code if cookies are disabled

Thank you. I've read the user notes there and the information looked very promising. But unfortunately it could not fix my problem. Maybe I have done something stupid, I'm still confident and will try to find a solution.

Note: Besides the reported small bugs I am highly pleased with your PunBB board software.
Meanwhile I also tried the PhBB board, but I was really shocked to see how that bad software performed: Two different fatal errors during installation with SQLite forced me to re-start at the beginning and finally the board turned out to be totally overloaded with unnecessary stuff, making any configuration attempts a real nightmare - not to mention the lame plugin support and even more drawbacks.

So thanks again for that nice piece of PunBB software!     wink