search

igoshev / laravel-captcha

Captcha integration for the Laravel
https://laravel.bonecms.tech/laravel-captcha
MIT License
79 stars 35 forks source link

The same Captcha code can be used unlimited times (defeating purpose of captcha) #50

Closed skeets23 closed 8 months ago

skeets23 commented 3 years ago

If you manually fill out the captcha and submit the form, as long as you don't load a new captcha, you can then use the same captcha code to post to the same URL unlimited times.

It seems like the validator for the Captcha should also clear the bone_captcha session variable after validating the captcha, to avoid allowing the same code to be allowed multiple times.

As a workaround for my current project, I just manually wipe the bone_captcha field after it validates successfully. Then the user is required to load the captcha image before supplying the code (which makes a lot of sense).

If for some reason it's difficult to clear the bone_captcha session variable in the validator (I suppose this might be a backwards incompatibility issue, in the case that a project validates the captcha multiple times in a single request for some reason), then it should at least include in the examples in the readme that the bone_captcha session vairable must be wiped after a successful validation.

some0ne2 commented 8 months ago

@skeets23 is this still open? Do you have another fix instead of setting wiping the bone_captcha after validation?

skeets23 commented 8 months ago

@some0ne2 As far as I know this is still a problem.

I've since switched to using reCAPTCHA.

some0ne2 commented 8 months ago

Working currently on some new release for this captcha.

This function should be the one which needs edit.

If you take a look here you can see that if a key is retrieved from storage (session) it will call the forget method onto the session. Since the $session is private it won't be able to fix this without a new push request / fork of this lib.

Can you verify your issue still exists? Please provide details, because from my point of view, the captcha should be cleared inside session when retrieved.

skeets23 commented 8 months ago

Sorry, I haven't looked at this package for a couple years, so I only assumed that the issue hadn't been resolved since there had been no comment here.

I did some quick tests and this issue appears to have been resolved. @some0ne2