search

dapphp / securimage

PHP CAPTCHA Script
https://github.com/dapphp/securimage
BSD 2-Clause "Simplified" License
568 stars 190 forks source link

DB storage with load balancer #70

Open Ole73 opened 7 years ago

Ole73 commented 7 years ago

I got some problems get securimage working in combination with a load balancer. Normal session validation only works by writing them to database. And $_SERVER['REMOTE_ADDR'], which is used as identifier in db also doesn't return the endusers ip, but one of the loadbalancing server. So, captcha code validates only each x times, hitting the right server.. Quick and easy solution for me was to enable db storage, disable session storage, but do an initial session_start() and then replace each $_SERVER['REMOTE_ADDR'] with session_id() in securimage.php

dapphp commented 7 years ago

Hi Ole73,

Sorry for the delayed response. This is a valid issue. To overcome it, the latest version (currently in branch nextgen) creates a unique captcha ID along with each code it generates. The form now must submit a hidden captcha ID input as well as the code. On an unrelated but similar note, I also introduced "storage adapters" so there's a uniform interface to code storage be it in the session, database, memcached, redis or elsewhere. This makes it easy to change your storage backend to a database to get around other session issues with load balancing.

The nextgen branch is production ready and I've been using that code base on a number of sites, and in the WordPress plugin. Unfortunately it hasn't been merged because I haven't done the documentation and site updates.

I'd encourage you to give the nextgen branch a try.

In the securimage config, set 'no_session' => true, and 'use_database' => true, and then set the 'database_driver' => Securimage::SI_DRIVER_MYSQL, as appropriate. It will use PDO_* for connecting. See https://github.com/dapphp/securimage/blob/nextgen/config.inc.php.SAMPLE and the following examples from the WordPress plugin may help as well:

https://plugins.trac.wordpress.org/browser/securimage-wp/trunk/securimage-wp.php#L415 https://plugins.trac.wordpress.org/browser/securimage-wp/trunk/lib/siwp_captcha.php

If you use PDO MySQL, you can ignore the part about the WordPress storage adapter and set use_database, and the database options and it'll do the rest, no need to specify anything special there. But if you want to write your own or piggy back off an existing DB connection, have a look at https://plugins.trac.wordpress.org/browser/securimage-wp/trunk/lib/StorageAdapter/Wordpress.php and https://github.com/dapphp/securimage/tree/nextgen/StorageAdapter

Sorry for the lack of documentation and hiding away this ready to go version.

Please don't hesitate to get in contact with me directly if you want to try this version and have any questions.