Closed skeets23 closed 8 months ago
@skeets23 is this still open? Do you have another fix instead of setting wiping the bone_captcha
after validation?
@some0ne2 As far as I know this is still a problem.
I've since switched to using reCAPTCHA.
Working currently on some new release for this captcha.
This function should be the one which needs edit.
If you take a look here you can see that if a key is retrieved from storage (session) it will call the forget
method onto the session.
Since the $session
is private it won't be able to fix this without a new push request / fork of this lib.
Can you verify your issue still exists? Please provide details, because from my point of view, the captcha should be cleared inside session when retrieved.
Sorry, I haven't looked at this package for a couple years, so I only assumed that the issue hadn't been resolved since there had been no comment here.
I did some quick tests and this issue appears to have been resolved. @some0ne2
If you manually fill out the captcha and submit the form, as long as you don't load a new captcha, you can then use the same captcha code to post to the same URL unlimited times.
It seems like the validator for the Captcha should also clear the
bone_captcha
session variable after validating the captcha, to avoid allowing the same code to be allowed multiple times.As a workaround for my current project, I just manually wipe the
bone_captcha
field after it validates successfully. Then the user is required to load the captcha image before supplying the code (which makes a lot of sense).If for some reason it's difficult to clear the
bone_captcha
session variable in the validator (I suppose this might be a backwards incompatibility issue, in the case that a project validates the captcha multiple times in a single request for some reason), then it should at least include in the examples in the readme that thebone_captcha
session vairable must be wiped after a successful validation.