Skip to content

One time only valid captchas#862

Open
pauser0000001 wants to merge 2 commits intoimpresspages:masterfrom
pauser0000001:master
Open

One time only valid captchas#862
pauser0000001 wants to merge 2 commits intoimpresspages:masterfrom
pauser0000001:master

Conversation

@pauser0000001
Copy link

@pauser0000001 pauser0000001 commented Oct 2, 2017

The capchas should have one use only, otherwise an attacker can send several times the same form with the same captcha once it is solved.
Optionally, a parameter is added to continue with the previous behaviour.

@pauser0000001
One time only valid captchas
3aa6233 
The capchas should be one use only, otherwise an attacker can send several times the same form with the same captcha once it is solved.
Optionally, a parameter is added to continue with the previous behaviour.
@pauser0000001
Anti CSRF value of one use only in forms
e81b9a1 
Delete value of the anti CSRF in the session so it can be created again, making it of one use only, preventing an attacker to send the same form several times.
@maskas
Copy link
Member

maskas commented Oct 7, 2017

Will include in next release.

@pauser0000001
Copy link
Author

pauser0000001 commented Oct 14, 2017

On a second though, as I don't usually use AJAX I didn't realize. What will happen to a single page website made with AJAX?
There should be no problem with the captcha, but it will be with the CSRF token. Perhaps it is better to delete the CSRF token only on forms not received by AJAX, and perhaps only on webs with the debug option set to 0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pauser0000001 @maskas