One time only valid captchas

impresspages / ImpressPages

ImpressPages is php framework with admin panel. Build functional website in one hour.

http://www.impresspages.org

Other

501 stars 178 forks source link

One time only valid captchas #862

Open pauser0000001 opened 6 years ago

pauser0000001 commented 6 years ago

The capchas should have one use only, otherwise an attacker can send several times the same form with the same captcha once it is solved. Optionally, a parameter is added to continue with the previous behaviour.

maskas commented 6 years ago

Will include in next release.

pauser0000001 commented 6 years ago

On a second though, as I don't usually use AJAX I didn't realize. What will happen to a single page website made with AJAX? There should be no problem with the captcha, but it will be with the CSRF token. Perhaps it is better to delete the CSRF token only on forms not received by AJAX, and perhaps only on webs with the debug option set to 0.