invalid and inconsistent captcha behavior

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
tired_one.

invalid and inconsistent captcha behavior

Post by tired_one. » Wed Jan 19, 2005 4:28 pm

Its me again...sorry...

We'd like to use the captcha feature in the spamblock plugin, but in testing we noticed that it behaves rather erratically. Sometimes it works and sometimes it doesn't.

For instance, I just tried to add a comment to my test blog and it was rejected 5 times because of an invalid captcha entry and I *know* that I typed the darn thing properly...on the 6th try it was accepted.

I can't implement this if it is going to do this to the users visiting the site.

Its really unpredictable when it will happen as well.

Again, we're using 0.7.1

Thanks.

-Robyn

tired_one
Regular
Posts: 25
Joined: Thu Jan 13, 2005 11:51 pm
Location: USA

Post by tired_one » Wed Jan 19, 2005 4:50 pm

I noticed that if I have the broswer security settings to anything above medium-high in IE that this really becomes a problem...and it never works if you have the browser set to block all cookies.
-Robyn

Little Hamster
Regular
Posts: 62
Joined: Thu Oct 07, 2004 3:16 pm

Post by Little Hamster » Wed Jan 19, 2005 4:51 pm

URL please?

I've been using captcha for a month now, and havent' got any problems. One way to minimise the use of captcha is to set only entries older than 7 days to require commenters to pass the chanllenge-response test. It usually takes about a week for search engines to index your new entries (and for comment spammers to find them).
Last edited by Little Hamster on Wed Jan 19, 2005 5:54 pm, edited 1 time in total.

tired_one
Regular
Posts: 25
Joined: Thu Jan 13, 2005 11:51 pm
Location: USA

Post by tired_one » Wed Jan 19, 2005 4:59 pm

this is my testing blog... http://www.b-p-s.net/s9y/clean/serendipity/

Its been requested of me by my boss (his blog) that I get the captcha's working in a consistent manner so they can be enabled for all comments. The reasoning is that its a fairly heavily trafficked blog and we get lots of spam attacks (we do use the IP blocking, IP blacklisting, disallow duplicate text, etc...this would just be that one extra thing which would be helpful to us).
-Robyn

Little Hamster
Regular
Posts: 62
Joined: Thu Oct 07, 2004 3:16 pm

Post by Little Hamster » Wed Jan 19, 2005 5:53 pm

I tried adding a comment to your blog. I believe I got it right the first time. I was lead back to the page of the entry, but without the style sheet. And I can't see my comment either. I believe the server/blog stopped working right at that moment because I get this when I click on the banner:

Code: Select all

Fatal error: session_start(): Failed to initialize storage module: user (path: /tmp) in /home/virtual/site34/fst/var/www/html/s9y/clean/serendipity/index.php on line 10


Have you tried using a different browser too? For example firefox? Maybe you can pin point it to whether it's a client or server problem?

tired_one
Regular
Posts: 25
Joined: Thu Jan 13, 2005 11:51 pm
Location: USA

Post by tired_one » Wed Jan 19, 2005 5:56 pm

I got your comment. :)

yeah - that particular server has issues sometimes...

I really think its an issue with settings on the client machine since this was brought to my attention by the users of the production blog which lives on a different, more stable server.

Just out of curiosity - what browser with what privacy settings did you use?
-Robyn

Little Hamster
Regular
Posts: 62
Joined: Thu Oct 07, 2004 3:16 pm

Post by Little Hamster » Wed Jan 19, 2005 6:03 pm

Firefox on Linux, and accept all cookies (I assume that's what you mean by security setting). My blog isn't high traffic so I don't have a lot of user statistics on which client browsers work. But I can say that the captcha works fine with Firefox on windows, Safari and Mozilla + Firefox on Linux.

tired_one
Regular
Posts: 25
Joined: Thu Jan 13, 2005 11:51 pm
Location: USA

Post by tired_one » Wed Jan 19, 2005 6:09 pm

Ah - so you're allowing all cookies?

If you change that setting to block all cookies, the captcha doesn't work regardless of browser and os/platform.

To me, forcing a user to enable cookies in order for features to work is kind of unreasonable...some people are really anal about those types of security issues. Me, for instance. I don't want anyone putting a file on my machine without my explicit permission.
-Robyn

User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking » Wed Jan 19, 2005 6:10 pm

The error message about the "storage / user" thing indicates that it's a problem on your Server side, not Client side.

It seems that your session saving/storage is freaked up, did you specify right session.save_path? Did you make sure /tmp is writable, and that your disk isn't full?

For Captchas to work properly, you will need Sessions. If you use URL Rewriting within Apache, you will also need to have Cookies enabled because the way plugins are called, the can only get PHPSESSID via cookie and not via URL. In early 0.8 Serendipity versions we now tell the user that he should enable Cookies to post to Captchas.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

Little Hamster
Regular
Posts: 62
Joined: Thu Oct 07, 2004 3:16 pm

Post by Little Hamster » Wed Jan 19, 2005 6:12 pm

It actually says so on the text above the captcha picture:
Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.


I didn't implement the plugin, obviously, so I have no idea if it's possible to do captcha without cookies. Have you considered modifying the current plugin for your purpose?

tired_one
Regular
Posts: 25
Joined: Thu Jan 13, 2005 11:51 pm
Location: USA

Post by tired_one » Wed Jan 19, 2005 6:14 pm

that 'storage/user' message had nothing to do with the problem - although it is an annoyance for me. I don't have that issue in my production environment and still have the captcha issue.

In my production environment, URL rewriting is disabled. So, by your post since we're not using URL rewriting we shouldn't need to have cookies enabled, right? However, it seems that they *do* need to be enabled since we are experiencing this problem. ;)
-Robyn

User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking » Wed Jan 19, 2005 6:17 pm

When you deactivate URL rewriting you need to enforce PHPs automatic Session URL rewriting, so that it appends ?PHPSESSID to the links properly.

I really suspect that it has to do with the serverside, the captcha plugin is working on quite a few other sites without the problems. Did you check the spamblock logfile? It should tell you why/if a comment was rejected, and why the check failed.

You may need to update the plugin to latest CVS code, because the logging has been improved there (and uses a DB table).


HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

tired_one
Regular
Posts: 25
Joined: Thu Jan 13, 2005 11:51 pm
Location: USA

Post by tired_one » Wed Jan 19, 2005 6:18 pm

lol...you know - I never even saw that text in the message. Well, at least this gets me out of trouble now...
-Robyn

tired_one
Regular
Posts: 25
Joined: Thu Jan 13, 2005 11:51 pm
Location: USA

Post by tired_one » Wed Jan 19, 2005 6:43 pm

Garvin - which settings in php.ini do I need to check to ensure that php is doing the url rewrite? I can write decent code, but I'm not very good at configuring stuff on the server...lol.

Thanks.

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off


Let me guess - this is what I need to turn on: session.use_trans_sid Off Off
Last edited by tired_one on Wed Jan 19, 2005 6:58 pm, edited 1 time in total.
-Robyn

User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking » Wed Jan 19, 2005 6:55 pm

Hi Robyn!

session.use_trans_sid is the one you'll have to set to 'TRUE'.

However, read the docs about possible side effects this may have (security, perormance ) here http://uk.php.net/session

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

Post Reply