search

markets / invisible_captcha

🍯 Unobtrusive and flexible spam protection for Rails apps
https://rubygems.org/gems/invisible_captcha
MIT License
1.15k stars 66 forks source link

Submit form on multi tabs #111

Closed qwer24rus closed 6 months ago

qwer24rus commented 2 years ago

Hi. We are using Invisible Capcha on our site, and found some bug with using it on multiple tabs.

Steps to reproduce:

  1. Open more then one different tabs were spinner_enabled used.
  2. Return to tab which was opened first one.
  3. Submit form
  4. You will get Invisible Captcha spinner value mismatch

It's happened because evere time when you open tab where spinner_enabled it's place value for spinner in session and rewrite it every time when view helper called on different tabs. https://github.com/markets/invisible_captcha/blob/8f1f6d478eae8e3c59f049493faf2160d12d583f/lib/invisible_captcha/view_helpers.rb#L20-L22

Possible solution: instead of rewrite session[:invisible_captcha_spinner] every time. Can you update it to something like:

session[:invisible_captcha_spinner] ||= InvisibleCaptcha.encode("#{session[:invisible_captcha_timestamp]}-#{current_request.remote_ip}")

This solution will allow us to use same invisible_captcha_spinner value for different tabs, and keep one invisible_captcha_spinner value for single session. And will allow us not to block a user form who has used multiple tabs.

markets commented 2 years ago

Hi @qwer24rus 👋🏼

This will make it "easier" for bots, as they will re-use also the "spinner" value, right?

I think a similar situation ("stale" data in session) was discussed in #24, #81, #53. Could you please read those issues and post back your thoughts on the topic?

Not sure if supporting that use-case of multiple tabs should be a priority (or even possible without making it easier for bots).

qwer24rus commented 2 years ago

Hi @markets Yes, allow use multi tabs, can make it "easier" for bots (if they can use sessions data for request) But from my side, i think its bad practise to block multi tabs for user. It's not user friendly, after each time when they try submit form (with multi tabs) they see warning about spinner and must refresh page and fill the form again. Just imagine if on githab or stackoverflow we can use only one tab at same time wile discuss, it will annoing tons of people. For example if spinner value will be set on every form for reply (here on github), if i open your link with other discuss whith you sended on reply upper, to answert you here i must refresh this page after i visit those links in new tab.

this discussion is more suitable for comparing what is more important, protection from bots or usability. As for me: usability > protection from bots

markets commented 2 years ago

Thanks for your input @qwer24rus!

I understand your point, but this kind of captchas are more designed for sign-up "like" forms (or forms "open" to internet let's say, no logged user). I've never seen a captcha protection in GH issues or SO discussions.

GitLab, for example, uses this gem (or at least they did in the past), but only on their sign-up page.