Closed qwer24rus closed 6 months ago
Hi @qwer24rus 👋🏼
This will make it "easier" for bots, as they will re-use also the "spinner" value, right?
I think a similar situation ("stale" data in session) was discussed in #24, #81, #53. Could you please read those issues and post back your thoughts on the topic?
Not sure if supporting that use-case of multiple tabs should be a priority (or even possible without making it easier for bots).
Hi @markets Yes, allow use multi tabs, can make it "easier" for bots (if they can use sessions data for request) But from my side, i think its bad practise to block multi tabs for user. It's not user friendly, after each time when they try submit form (with multi tabs) they see warning about spinner and must refresh page and fill the form again. Just imagine if on githab or stackoverflow we can use only one tab at same time wile discuss, it will annoing tons of people. For example if spinner value will be set on every form for reply (here on github), if i open your link with other discuss whith you sended on reply upper, to answert you here i must refresh this page after i visit those links in new tab.
this discussion is more suitable for comparing what is more important, protection from bots
or usability
. As for me: usability
> protection from bots
Thanks for your input @qwer24rus!
I understand your point, but this kind of captchas are more designed for sign-up "like" forms (or forms "open" to internet let's say, no logged user). I've never seen a captcha protection in GH issues or SO discussions.
GitLab, for example, uses this gem (or at least they did in the past), but only on their sign-up page.
Hi. We are using Invisible Capcha on our site, and found some bug with using it on multiple tabs.
Steps to reproduce:
spinner_enabled
used.Invisible Captcha spinner value mismatch
It's happened because evere time when you open tab where
spinner_enabled
it's place value for spinner in session and rewrite it every time when view helper called on different tabs. https://github.com/markets/invisible_captcha/blob/8f1f6d478eae8e3c59f049493faf2160d12d583f/lib/invisible_captcha/view_helpers.rb#L20-L22Possible solution: instead of rewrite
session[:invisible_captcha_spinner]
every time. Can you update it to something like:This solution will allow us to use same
invisible_captcha_spinner
value for different tabs, and keep oneinvisible_captcha_spinner
value for single session. And will allow us not to block a user form who has used multiple tabs.