Hello,
I think this module is GREAT as captcha modules are very frustrating for users.
I encountered a problem after enabling this module and wanted to share.
When I logout of the site, then right after go to the login page and login, I consistently get this error message:
Form session reuse detected. Please do not use "Back" to submit this form from browser history - it will not be accepted.
If I then try again, I'm able to login correctly, but the above error message shows each time a user decides to log back into the site after maybe or on purpose logging out of the site.
I hope this issue may be looking into when you have time.
Thank you and please let me know if I can provide any further information.
Comments
Comment #1
iva2k commentedThanks for the report.
I tried to reproduce it using FireFox, and I did not have this problem.
Can you give more details - what browser you use? do you login using block or login page?
Comment #2
YK85 commentedI think I may have found a issue on multilingual sites.
My setup:
http://example.com/ << French Language, no error messages
http://example.com/en << English Language, consistently shows error message
The error never shows for http://example.com/ (French) but happens on all browsers for http://example.com/en (English)
Scenario that doesn't work (with /en) on all browsers
1) went to http://example.com/en/login and login
2) after logging in it takes me to http://example.com/en, then I log out immediately
3) I immediately go to http://example.com/en/login and try logging in again
Same scenario as above without the /en works flawlessly on all browsers
The URL when the error shows for /en looks like:
http://example.com/en/login?a35b_name=bdf9f390911935599fbdda6721_form
I only enabled setting for form_id as user_login for testing.
When form_id for user_login is not selected, the error never shows.
Please let me know if I can provide any further information to help troubleshoot this problem.
Thank you very much for looking into this issue.
Comment #3
YK85 commentedKindly setting status back to 'active'
Thank you
Comment #4
iva2k commentedThanks for additional details.
There is no such path as /en/login. Did you mean en/user/login?
I tried on a multilingual site, but still am unable to reproduce your problem. Can you post your configuration from the following pages:
Comment #5
kndrI can cofirm this bug. I am using Pressflow, which doesn't support sessions for anonymous users (for high performance reasons). This way, session_id for anonymous users change for every page refresh - also, when forms are submitted. Botcha validation depends on functions: drupal_get_token() and drupal_valid_token(). This method will not work properly, when session id is changing for every page reload. Pressflow incompatibility (and Drupal 7, I suppose) is quite common problem in modules, which use session handling for anonymous users. Look at http://drupal.org/node/562374 and http://drupal.org/node/672566. There is a method to do make a workaround. You can use $_SESSION variable instead of D6 session handling. I've made some little changes in Botcha.
Unfortunately your code doesn't fit to drupal code standards http://drupal.org/coding-standards at all and my attached patch is very ugly. Especially Lines should have no trailing whitespace at the end. I am strongly recommend to use Drupal coding standards. It is very important for patch contributors, who can help you maintain the code. Clean and elegant code makes Drupal world better :)
Main changes:
Comment #6
YK85 commentedSorry for the late reply! I missed the update asking for the settings.
Below are my settings:
Comment #7
iva2k commented@YK85
In the light of post #5 by kndr, are you using Pressflow?
Comment #8
YK85 commentedHi iva2k,
I am not using Pressflow.
I think I forgot to mention I am using URL Alter module to change the url from user/login and user/register to /login and /register. But I'm not sure if this has any negative effects as the errors only happen for example.com/en and not for example.com/
I hope this information helps!
Many thanks
Comment #9
iva2k commentedSorry for the delay - got slammed with a lot of (good) work lately. I read that there may be two separate issues...
One - multilingual problems, which I was not able to reproduce on my multilingual site. It seems like a borderline usability issue, but I'd like to get to the bottom of it. If you still have issues with latest 6.x-1.x-dev, please post details here. Also if you could provide a link (private message is ok), it will help too.
Two - pressflow session reset issue. For the pressflow please open a separate issue if it is still relevant, and I will appreciate a patch (even messy with spaces etc.)
Comment #10
Kutakizukari commentedI'm using pressflow and getting the same error when trying to log back in whether it is the login block or the page.
Comment #11
Kutakizukari commentedMine gives an extra error:
Though I have my username and password stored in the KeePass Password Safe, so I know it is the correct one.
Comment #12
iva2k commentedI will check the pressflow edits proposed in #5 from perspective if they are transparent (no regression) without pressflow.
Comment #13
Chad_Dupuis commentedsub -- another person experiences the pressflow issue since the last two updates I believe...
Comment #14
iva2k commentedIt's a little too late to split the two issues here. Original issue was "Re-login problem on multilingual site"; Second issue "Compatibility with Pressflow". I'm renaming accordingly as the "Form session reuse detected." title is a misleading catch-all (a mere symptom and it can appear for any number of issues).
I tested without Pressflow and committed code from #5 by kndr into 6.x-1.x-dev and closing this issue. Please do not reopen this one and file a new issue (regardless of relevance to this thread).
Comment #16
fehin commentedMy site is not multilingual and I don't use pressflow but I'm getting similar error
Comment #17
iva2k commentedJust getting this error message does not mean you have a problem. Botcha makes sure that any protected form is submitted only once. If you see that message, only one of two things have happened:
1. User pressed "back" in the browser and submitted form again
2. User spent very long time filling the form and submitted it (long time means many hours e.g. page opened yesterday and you came back to the PC and logged in. Browser using cached page could be also source of this, but none of mainstream browsers have caching issues anymore)
This issue was about a third situation not on this list that was not supposed to be happening. If you encounter any of the two listed situations, it is not an error but a normal Botcha operation.
Feel free to reopen with detailed step-by-step explanation and your browser/version if you believe you have an issue.Please do not reopen this one and file a new issue (regardless of relevance to this thread) with detailed step-by-step explanation and your browser/version if you believe you have an issue.
Comment #19
iva2k commentedNeed to port this fix to D7.
Comment #20
iva2k commentedUpon code inspection from #1045192: D7 Port (BOTCHA), it has a different code for saving session for anonymous users.
Comment #22
joyseeker commentedFor anyone reading this thread -- I just had the same thing happen with a multisite setup I moved to a new server. It turned out I typed the directory under sites for the subdomain incorrectly, so when I went to the subdomain front page to login, I had the "Form session reuse detected..." error. It just happened that because I was logging in to the main site that the subdomain was confused which database it was to go to so it saw a previous login session since I shared the users tables. I checked and fixed the names of my subdomain directories, and the error went away. Whew!
Comment #23
vako commentedMy site is Drupal 6.28 and I have used BOTCHA 6.x-3.x-dev and 6.x-3.0 with the same results.
It's not a multilingual site and it's not reproducible, happens some of the time with FireFox and Chrome.
I don't click on the back button and don't take time to fill the form.
Note that I use the Boost module as well, but even after disabling it, I have visitors complain about the same issue.
Surely one other module is conflicting with it, wish we can find the solution.