| Author |
Message |
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1252
Location: Texas, USA
|
 Posted:
Sat Jul 25, 2009 8:14 am |
 
|
Took me awhile to figure out what was going on here, but it appears there is a problem with the captcha in firefox 3.5.
It occurs when you have login block on left active, and you try to login at the account.html page. It appears to render a different captcha image for each, and if you try to login on the right it will always fail, saying incorrect captcha, go back.
it's not doing it in chrome or ie8, and never a problem until my recent update to firefox 3.5, which I believe has new JS engine...?
Confirmed this same behavior on
also had problems registering on the test site, after you click the activation link, and as you submit the required form, it tells me:
"You MUST be logged in to access this option"
kind of a catch22 since i can't login until submitting the form. This was on a previous version of firefox, btw. |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Sat Jul 25, 2009 4:48 pm |
|
Do you see this same behavior on 3.5.1 ? |
|
|
  
|
|
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1252
Location: Texas, USA
|
| Posted:
Sat Jul 25, 2009 6:17 pm |
|
yes it's on 3.5.1, had it in the title, but forgot to type it right later in the post..  |
|
|
|
|
|
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1252
Location: Texas, USA
|
| Posted:
Sat Jul 25, 2009 7:36 pm |
|
i also noticed the first time you visit page it is ok, but on the next hit it moves the captcha image that was on the right into the block, and loads new image on right.. cycling per say. |
|
|
|
|
|
wHiTeHaT
Involved
Joined: Jul 18, 2004
Posts: 431
Location: Netherlands
|
| Posted:
Fri Aug 21, 2009 1:05 pm |
|
This can definitely fix it.
After that change your login block with the bottom example:
Wrap this around the login block:
| Code: |
global /*your other globals aswell */ $name;
if ($name == 'Your_Account'){
/*do nothing */
}else{
/*default block code */
}
|
|
|
|
 |
|
Palbin
Site Admin
Joined: Mar 30, 2006
Posts: 2404
Location: Pennsylvania
|
| Posted:
Fri Aug 21, 2009 1:47 pm |
|
I wish firefox would just fix their caching problem (what I think it is) that would be better  . |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Fri Aug 21, 2009 2:19 pm |
|
Is this still an issue with 3.5.2? |
|
|
|
|
|
Palbin
Site Admin
Joined: Mar 30, 2006
Posts: 2404
Location: Pennsylvania
|
| Posted:
Fri Aug 21, 2009 2:49 pm |
|
|
|
|
|
amber222
Regular
Joined: Jun 09, 2004
Posts: 79
|
| Posted:
Fri Aug 21, 2009 5:53 pm |
|
Yes, I just upgraded to 3.5.2 and now cannot register or login through the Your_Account module or the Site Info block. |
|
|
|
|
|
Palbin
Site Admin
Joined: Mar 30, 2006
Posts: 2404
Location: Pennsylvania
|
| Posted:
Fri Aug 21, 2009 6:04 pm |
|
You should be able to login with the userinfo block on any page other than the YA login page. The problem can only be seen when multiple CAPTCHA are loaded. |
|
|
|
|
|
amber222
Regular
Joined: Jun 09, 2004
Posts: 79
|
| Posted:
Fri Aug 21, 2009 7:15 pm |
|
| Palbin wrote: | | You should be able to login with the userinfo block on any page other than the YA login page. The problem can only be seen when multiple CAPTCHA are loaded. |
I tried logging in with the userinfo block from the home page - over and over - but it just wouldn't work. Deleted cookies, but it made no difference. Finally, I hid the left blocks from the Your_Account module and was able to log in from there. Then I logged out, deleted cookies, and tried it from the home page, and it worked. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Fri Aug 21, 2009 11:28 pm |
|
| Palbin wrote: | | You should be able to login with the userinfo block on any page other than the YA login page. The problem can only be seen when multiple CAPTCHA are loaded. |
Amber, I'm not sure exactly what your issue was but I'm glad you're able to login. My experiences have been the same as Palbin's  |
|
|
|
|
|
amber222
Regular
Joined: Jun 09, 2004
Posts: 79
|
| Posted:
Sat Aug 22, 2009 9:39 am |
|
As I noted in my edit to the post at it is sounding more and more like another Firefox 3.5.2 problem. It seems to prevent logins periodically, according to lots of users in their forums. BTW, I now recall there have been 2 times I wasn't able to log into admin no matter how many times I tried. I checked the db table and .staccess, and nothing had changed. The password reset script didn't work the first time. I had to delete the admin from the db and redo. The second time, the password reset script worked. Go figure?
On my test site (not the same as above), I used the same username for Admin and regular user but used different passwords. I saved the regular user password in Firefox. Now it won't let me log into admin even when I paste the correct admin password in the box. It keeps going back to the regular user password. Finally, I just changed the Admin username to something else. |
|
|
|
|
|
montego
Former Admin in Good Standing
Joined: Aug 29, 2004
Posts: 9071
Location: Arizona
|
| Posted:
Sat Aug 22, 2009 3:28 pm |
|
Palbin and I can clearly replicate the issue and are working on at least a hopefully temporary fix. We're trying to trick FF into thinking each image src really is different so it doesn't "re-use" from its cache. It is clear a bug, but it is not clear whether our friends at Mozilla believe it to be... |
|
|
|
|
|
wHiTeHaT
Involved
Joined: Jul 18, 2004
Posts: 431
Location: Netherlands
|
| Posted:
Sat Aug 22, 2009 3:34 pm |
|
I encounter with osc2nuke a simular issue.
To keep the registration/logins working i had to disable it.
I must admit the captcha ravennuke uses isnt my favorit , becouse it is a session based one.
If you ever going to use a module or what so ever into ravennuke , your captcha system posseble go be broken.
If raven desides someday to go use some session based module or script, he might need to completely change his current captcha methode.
The fix i submitted doesnt work when use osc2nuke.
not with version 2 and not with version 3 , i expected it to work atleast with v3.
I'm considering to make a new type of captcha based on human questions.
however edited by site admins where they can change the question and answers themself.
A captcha system is alway's a pain in the *ss |
Last edited by wHiTeHaT on Sat Aug 22, 2009 3:45 pm; edited 1 time in total |
|
|
|
|
montego
Former Admin in Good Standing
Joined: Aug 29, 2004
Posts: 9071
Location: Arizona
|
| Posted:
Sat Aug 22, 2009 3:43 pm |
|
wHiTeHaT, but that is actually a much more secure approach than any of the others that have been used in the past. I think even user logins should be moved to sessions as well. |
|
|
|
|
|
wHiTeHaT
Involved
Joined: Jul 18, 2004
Posts: 431
Location: Netherlands
|
| Posted:
Sat Aug 22, 2009 3:45 pm |
|
i agree, but read my edited message before your post , i clicked to soon to post. |
|
|
|
|
|
wHiTeHaT
Involved
Joined: Jul 18, 2004
Posts: 431
Location: Netherlands
|
| Posted:
Sat Aug 22, 2009 3:53 pm |
|
Infact , i must say , i not agree.
This session use doesnt give any extra security at all.
The session only generates a temporarly image/captcha value.
It doesnt secure the images content way of reading a processed image.
The session generated "ID" outputs a value in a form of an image + some text.
Thats it. |
|
|
|
|
|
montego
Former Admin in Good Standing
Joined: Aug 29, 2004
Posts: 9071
Location: Arizona
|
| Posted:
Sat Aug 22, 2009 3:55 pm |
|
Yup, didn't see your expanded post. Good points. I'd much rather use a service for this, such as reCAPTCHA (is that the right name???), so that as hackers/spammers learn how to crack, the service fortifies/adjusts, keeps the API the same, and all sites using it are now using the new improved version. But, lots of things to consider.
Anyways, good discussion! |
|
|
|
|
|
wHiTeHaT
Involved
Joined: Jul 18, 2004
Posts: 431
Location: Netherlands
|
| Posted:
Sat Aug 22, 2009 4:05 pm |
|
I must admit i never investigated how a bot works.
It is one reason i asked earlyer , if it is posseble for a bot to "act" as it has a cache of validated formfields.
My idea was to use a clïents formfield cache to login to a site.
So if clïent X visited before some site where he entered a form + submitted this form.
He gets a double dropdown selection field of al previous used value's.
He cannot manualy enter data into the field.If the choosen value's are identical , he's validated.
Please consider , a call to the browsers formfield cache might NOT be posseble for a bot couse he doesnt have a browser?
My concept thoughts think it is posseble to program a captcha explicit to read the formfield cache, by a programmed detection system. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Sat Aug 22, 2009 4:46 pm |
|
| montego wrote: | Yup, didn't see your expanded post. Good points. I'd much rather use a service for this, such as reCAPTCHA (is that the right name???), so that as hackers/spammers learn how to crack, the service fortifies/adjusts, keeps the API the same, and all sites using it are now using the new improved version. But, lots of things to consider.
Anyways, good discussion! |
And as soon as they start charging or leave the scene everyone is left hanging. Using ANY third party system like that is a very treacherous road to follow and I have no intention of going down that road
Read the following article that is current. Very eye-opening especially if you doubt my decision .
- Especially the section Outages, Closures, and Fail -- Oh My!.
Then, be sure to read the follow-up to the story |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
