Registration screen should have Captcha option (Extensible registration/login screen)

OrchardCMS / Orchard

Orchard is a free, open source, community-focused Content Management System built on the ASP.NET MVC platform.

https://orchardproject.net

BSD 3-Clause "New" or "Revised" License

2.37k stars 1.12k forks source link

Registration screen should have Captcha option (Extensible registration/login screen) #3115

Open orchardbot opened 11 years ago

orchardbot commented 11 years ago

@bleroy created: https://orchard.codeplex.com/workitem/19286

Captcha protection on registration is even more important than on comments.

orchardbot commented 11 years ago

@sebastienros commented:

Should be extensible, LogOn is a Part. We use a fake content item in edit mode to render the login form. / registration.

???? http://english.orchardproject.hu/blog/the-orchard-dynamic-page-pattern

orchardbot commented 10 years ago

kurtmang commented:

I am getting overloaded by spam user registrations and I'm afraid it's not apparent how to recaptcha protect the registration form.

orchardbot commented 9 years ago

@Piedone commented:

LogOn is NOT a part neither registration what this issue is about.

As I can see the best generic way to fight spam with registration would be to inject a fake content item's display into the registration page (can be done through an MVC filter) so you can attach antispam parts to itand in IUserEventHandler.Created() check for validity.

That is, if you want to implement it yourself. Otherwise we could have some official way of doing this, even by building a dynamic page for registration.

Piedone commented 9 years ago

Implemented in https://lombiqantispam.codeplex.com/ but it's a bit hackish: still, we'd need an extensible registration (and login) screen.

sfmskywalker commented 9 years ago

As with #4130 and #516, we could provide a recipe that creates a "RegistrationWidget" using the LayoutPart and accompanying workflow, and then users have the option of enhancing the registration form by adding the ReCaptcha element (which comes out of the box with Orchard 1.9).

dalenewman commented 7 years ago

Just an FYI:

My network services team used Tinfoil Security to scan one of my Orchard 1.10.1 sites. They supposedly used a "light" attack setting, and it created over 600 users that I couldn't delete within admin interface (they had some crazy code inject names). Moreover, it caused database blocking alerts during the attack.

If it had been a prolonged (or real) attack, I would of had to take the site off-line.

I have since manually added ReCaptcha to my registration page by modifying Orchard.Users and the registration template in my theme. This meant both Orchard.Users and the theme module required Orchard.AntiSpam to be turned on (a dependency).

Piedone commented 7 years ago

@dalenewman could you please open a separate issue about users not being removable? That sounds like another serious, but separate issue.

sebastienros commented 7 years ago

Agreed with @Piedone that you should file another issue with the non-deletable users. We fixed a related issue for special chars but you mention 1.10.1 so I assume we really care about it.

I agree we could use a recaptcha on this screen. A mitigation is to remove registration, or at least enable email confirmation.