Hello,

I think this module is GREAT as captcha modules are very frustrating for users.
I encountered a problem after enabling this module and wanted to share.

When I logout of the site, then right after go to the login page and login, I consistently get this error message:

Form session reuse detected. Please do not use "Back" to submit this form from browser history - it will not be accepted.

If I then try again, I'm able to login correctly, but the above error message shows each time a user decides to log back into the site after maybe or on purpose logging out of the site.

I hope this issue may be looking into when you have time.

Thank you and please let me know if I can provide any further information.

CommentFileSizeAuthor
#5 1075722-botcha-kndr-1-D6.patch16.03 KBkndr

Comments

iva2k’s picture

Status: Active » Postponed (maintainer needs more info)

Thanks for the report.
I tried to reproduce it using FireFox, and I did not have this problem.
Can you give more details - what browser you use? do you login using block or login page?

YK85’s picture

I think I may have found a issue on multilingual sites.

My setup:
http://example.com/ << French Language, no error messages
http://example.com/en << English Language, consistently shows error message

The error never shows for http://example.com/ (French) but happens on all browsers for http://example.com/en (English)

Scenario that doesn't work (with /en) on all browsers
1) went to http://example.com/en/login and login
2) after logging in it takes me to http://example.com/en, then I log out immediately
3) I immediately go to http://example.com/en/login and try logging in again

Same scenario as above without the /en works flawlessly on all browsers

The URL when the error shows for /en looks like:
http://example.com/en/login?a35b_name=bdf9f390911935599fbdda6721_form

I only enabled setting for form_id as user_login for testing.
When form_id for user_login is not selected, the error never shows.

Please let me know if I can provide any further information to help troubleshoot this problem.

Thank you very much for looking into this issue.

YK85’s picture

Status: Postponed (maintainer needs more info) » Active

Kindly setting status back to 'active'
Thank you

iva2k’s picture

Status: Active » Postponed (maintainer needs more info)

Thanks for additional details.

There is no such path as /en/login. Did you mean en/user/login?

I tried on a multilingual site, but still am unable to reproduce your problem. Can you post your configuration from the following pages:

  • /admin/settings/performance
  • /admin/settings/language
  • /admin/settings/language/configure
  • /admin/settings/language/edit/en
  • /admin/settings/language/edit/fr
kndr’s picture

Version: 6.x-1.x-dev » 6.x-1.5
Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new16.03 KB

I can cofirm this bug. I am using Pressflow, which doesn't support sessions for anonymous users (for high performance reasons). This way, session_id for anonymous users change for every page refresh - also, when forms are submitted. Botcha validation depends on functions: drupal_get_token() and drupal_valid_token(). This method will not work properly, when session id is changing for every page reload. Pressflow incompatibility (and Drupal 7, I suppose) is quite common problem in modules, which use session handling for anonymous users. Look at http://drupal.org/node/562374 and http://drupal.org/node/672566. There is a method to do make a workaround. You can use $_SESSION variable instead of D6 session handling. I've made some little changes in Botcha.

Unfortunately your code doesn't fit to drupal code standards http://drupal.org/coding-standards at all and my attached patch is very ugly. Especially Lines should have no trailing whitespace at the end. I am strongly recommend to use Drupal coding standards. It is very important for patch contributors, who can help you maintain the code. Clean and elegant code makes Drupal world better :)

Main changes:


 function botcha_init() {
 //UNUSED  drupal_add_css(drupal_get_path('module', 'botcha') . '/botcha.css');
+
+  // Pressflow compatibility
+  // Borrowed from http://drupal.org/files/issues/mollom-DRUPAL-6--1.session.41.patch
+  // Expire all botcha session IDs as soon as possible (5 minutes).
+  $now = time();
+  if (isset($_SESSION['botcha_sessions'])) {
+    foreach ($_SESSION['botcha_sessions'] as $id => $timestamp) {
+      if ($now - $timestamp > 5 * 60) {
+        unset($_SESSION['botcha_sessions'][$id]);
+      }
+    }
+  }
+  // If all sessions were removed, also remove our storage key.
+  if (isset($_SESSION) && empty($_SESSION['botcha_sessions'])) {
+    unset($_SESSION['botcha_sessions']);
+  }
+
 }
@@ -376,9 +376,27 @@ function botcha_form_alter_botcha(&$form, $form_state, $form_id, $botcha) {
   }
   $form['#validate'][] = '_botcha_register_form_validate';
   $form['#botcha'] = $botcha;
+
+  // Read timestamp, which is created when session starts
+  $form_timestamp = isset($form_state['post']['form_timestamp']) ? $form_state['post']['form_timestamp'] : time();
+  $form['form_timestamp'] = array (
+    '#type' => 'hidden',
+    '#value' => $form_timestamp,
+  );
+  // Create session_id value
+  $botcha_session_id = md5(ip_address() . $form_timestamp . drupal_get_private_key());
+  // Create new session, when session_id value is unknown
+  if (!isset($_SESSION['botcha_sessions'][$botcha_session_id])) {
+    $_SESSION['botcha_sessions'][$botcha_session_id] = $form_timestamp;
+  }
+  // Keep old session, prevent from clearing in hook_init()
+  else {
+    $_SESSION['botcha_sessions'][$botcha_session_id] = time();
+  }
+
@@ -396,27 +414,27 @@ function botcha_form_alter_botcha(&$form, $form_state, $form_id, $botcha) {
     $form_state['post']['form_build_id'] = $build_id;
     // Issue the client a new build_id, make sure that the form has it set in the hidden field
   }
-  _botcha_set_form_cache($build_id);  // Save build id
+  _botcha_set_form_cache($build_id, $botcha_session_id);  // Save build id
-function _botcha_set_form_cache($form_build_id) {
+function _botcha_set_form_cache($form_build_id, $botcha_session_id) {
   // 6 hours cache life time for forms should be plenty.
   $expire = 21600;
 
   $data = array();
-  $data['#cache_token'] = drupal_get_token();
+  $data['#cache_token'] = $botcha_session_id;
-function _botcha_get_form_cache($form_build_id) {
+function _botcha_get_form_cache($form_build_id, $botcha_session_id) {
   if ($cached = cache_get('botcha_'. $form_build_id, 'cache_form')) {
     $data = $cached->data;
-    if (isset($data['#cache_token']) && drupal_valid_token($data['#cache_token'])) {
+    if (isset($data['#cache_token']) && $data['#cache_token'] == $botcha_session_id) {
 function _botcha_register_form_validate($form, &$form_state) {
   $build_id = isset($_POST['form_build_id']) ? $_POST['form_build_id'] : $form['#build_id'];
+  $botcha_session_id = md5(ip_address() . $form_state['values']['form_timestamp'] . drupal_get_private_key());
@@ -454,7 +473,7 @@ function _botcha_register_form_validate($form, &$form_state) {
       }
       unset($_GET[$field]);
     }
-    if ($recipe->proc == 'check_cache' && !_botcha_get_form_cache($build_id)) {
+    if ($recipe->proc == 'check_cache' && !_botcha_get_form_cache($build_id, $botcha_session_id)) {
YK85’s picture

Sorry for the late reply! I missed the update asking for the settings.
Below are my settings:

/admin/settings/performance

Caching mode:
[x] Normal (recommended for production sites, no side effects) 

Gzip page compression (Boost & Core): 
[x] Enabled

Block cache: 
[x] Disabled

Optimize CSS files: 
[x] Disabled

Optimize JavaScript files: 
[x] Disabled

-----

/admin/settings/language

	[x] enabled en	English	[ ] default
	[x] enabled fr	French	[x] default
  
-----

/admin/settings/language/configure 

Language negotiation: 
[x] Path prefix only.

-----

/admin/settings/language/edit/en

Language code: 
en

Language name in English: *
English

Native language name: *
English

Path prefix: 
en

Language domain: 
(blank)

Direction: *
[x] Left to right

-----

/admin/settings/language/edit/fr

Language code:
fr

Language name in English: *
French

Native language name: *
French

Path prefix: 
(blank)

Language domain: 
(blank)

Direction: *
[x] Left to right
iva2k’s picture

Status: Needs review » Postponed (maintainer needs more info)

@YK85
In the light of post #5 by kndr, are you using Pressflow?

YK85’s picture

Status: Postponed (maintainer needs more info) » Active

Hi iva2k,

I am not using Pressflow.

I think I forgot to mention I am using URL Alter module to change the url from user/login and user/register to /login and /register. But I'm not sure if this has any negative effects as the errors only happen for example.com/en and not for example.com/

I hope this information helps!

Many thanks

iva2k’s picture

Status: Active » Postponed (maintainer needs more info)

Sorry for the delay - got slammed with a lot of (good) work lately. I read that there may be two separate issues...

One - multilingual problems, which I was not able to reproduce on my multilingual site. It seems like a borderline usability issue, but I'd like to get to the bottom of it. If you still have issues with latest 6.x-1.x-dev, please post details here. Also if you could provide a link (private message is ok), it will help too.

Two - pressflow session reset issue. For the pressflow please open a separate issue if it is still relevant, and I will appreciate a patch (even messy with spaces etc.)

Kutakizukari’s picture

I'm using pressflow and getting the same error when trying to log back in whether it is the login block or the page.

Kutakizukari’s picture

Mine gives an extra error:

    "Form session reuse detected. Please do not use "Back" to submit this form from browser history - it will not be accepted."

    "Sorry, unrecognized username or password. Have you forgotten your password?"

Though I have my username and password stored in the KeePass Password Safe, so I know it is the correct one.

iva2k’s picture

Version: 6.x-1.5 » 6.x-1.x-dev
Status: Postponed (maintainer needs more info) » Active

I will check the pressflow edits proposed in #5 from perspective if they are transparent (no regression) without pressflow.

Chad_Dupuis’s picture

sub -- another person experiences the pressflow issue since the last two updates I believe...

iva2k’s picture

Title: Form session reuse detected. » Re-login problem on multilingual site; Compatibility with Pressflow
Status: Active » Fixed

It's a little too late to split the two issues here. Original issue was "Re-login problem on multilingual site"; Second issue "Compatibility with Pressflow". I'm renaming accordingly as the "Form session reuse detected." title is a misleading catch-all (a mere symptom and it can appear for any number of issues).

I tested without Pressflow and committed code from #5 by kndr into 6.x-1.x-dev and closing this issue. Please do not reopen this one and file a new issue (regardless of relevance to this thread).

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

fehin’s picture

Status: Closed (fixed) » Active

My site is not multilingual and I don't use pressflow but I'm getting similar error

Form session reuse detected. Please do not use "Back" to submit this form from browser history - it will not be accepted.
Sorry, unrecognized username or password. Have you forgotten your password?

iva2k’s picture

Status: Active » Fixed

Just getting this error message does not mean you have a problem. Botcha makes sure that any protected form is submitted only once. If you see that message, only one of two things have happened:
1. User pressed "back" in the browser and submitted form again
2. User spent very long time filling the form and submitted it (long time means many hours e.g. page opened yesterday and you came back to the PC and logged in. Browser using cached page could be also source of this, but none of mainstream browsers have caching issues anymore)

This issue was about a third situation not on this list that was not supposed to be happening. If you encounter any of the two listed situations, it is not an error but a normal Botcha operation.

Feel free to reopen with detailed step-by-step explanation and your browser/version if you believe you have an issue.

Please do not reopen this one and file a new issue (regardless of relevance to this thread) with detailed step-by-step explanation and your browser/version if you believe you have an issue.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

iva2k’s picture

Version: 6.x-1.x-dev » 7.x-1.x-dev
Status: Closed (fixed) » Active

Need to port this fix to D7.

iva2k’s picture

Status: Active » Fixed

Upon code inspection from #1045192: D7 Port (BOTCHA), it has a different code for saving session for anonymous users.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

joyseeker’s picture

For anyone reading this thread -- I just had the same thing happen with a multisite setup I moved to a new server. It turned out I typed the directory under sites for the subdomain incorrectly, so when I went to the subdomain front page to login, I had the "Form session reuse detected..." error. It just happened that because I was logging in to the main site that the subdomain was confused which database it was to go to so it saw a previous login session since I shared the users tables. I checked and fixed the names of my subdomain directories, and the error went away. Whew!

vako’s picture

Status: Closed (fixed) » Needs review

My site is Drupal 6.28 and I have used BOTCHA 6.x-3.x-dev and 6.x-3.0 with the same results.
It's not a multilingual site and it's not reproducible, happens some of the time with FireFox and Chrome.
I don't click on the back button and don't take time to fill the form.
Note that I use the Boost module as well, but even after disabling it, I have visitors complain about the same issue.

Surely one other module is conflicting with it, wish we can find the solution.

Status: Needs review » Needs work

The last submitted patch, 1075722-botcha-kndr-1-D6.patch, failed testing.