When testing 161572, I noticed that even though it does say it denies the user when logging in with the incorrect captcha information, it still starts the user session and the user is logged in. Try this:

After updating to the latest Captcha 3.x and running update.php, add a captcha to the user_login form. Now goto user, you'll see a Captcha form at the bottom. Put in your username and password, and the incorrect captcha. Press Submit, and you'll be "denied" access. Now goto ?q=user again in your browser and you'll see that you're now logged in. Strange? Yes.

CommentFileSizeAuthor
#7 captcha_user_login_2.patch1.06 KBsoxofaan
#6 captcha_user_login.patch1.09 KBsoxofaan
#2 captcha.module.login_.patch932 bytesrobloach

Comments

robloach’s picture

robloach
he/him
commented
Priority: Normal » Critical

This issue has to be resolved before the code freeze. Sorry about sticking these two forms in by default guys. There are two solutions:
1) Remove the forms from the selection in the settings
2) Resolve the issue by making the user login work with Captcha

robloach’s picture

robloach
he/him
commented
Status: Active » Needs review
StatusFileSize
new captcha.module.login_.patch932 bytes

This patch works around the user login process before the Captcha stuff by forcing the user to logout if they entered the incorrect Captcha information. It makes Captcha work on both the user login block and the user login page.

robloach’s picture

robloach
he/him
commented

Could you guys please do a bit of testing with this?

1) Apply the patch
2) Logout and try to login with the right credentials, but incorrect captcha
3) Re-visit ?q=user
4) Repeat, testing with different methods

soxofaan’s picture

soxofaan commented

I think there is something wrong with the approach. In my test setup captcha_validate() is called before user_login_validate() (which logs the user in). In the patch you try to log the user out when the CAPTCHA was wrong, but the user is not logged in at that point. It can be seen in the watchdog messages like "Session closed for user." (note the absence of the user name).
Practically the user_logout() in captcha_validate() is equivalent with drupal_goto().

robloach’s picture

robloach
he/him
commented

If user_login_validate() is called before captcha_validate(), couldn't we just than call drupal_goto() to skip the call to user_login_validate()?

We have to get user logins compatible with Captcha before 3.0 final.

soxofaan’s picture

soxofaan commented
StatusFileSize
new captcha_user_login.patch1.09 KB

Here is a patch which uses drupal_goto() instead of user_logout()

soxofaan’s picture

soxofaan commented
StatusFileSize
new captcha_user_login_2.patch1.06 KB

Sorry, new version of patch (the trick with drupal_destination() from the patch at #6 was not needed).
Very simple solution and it works for me.
Even the error message "wrong CAPTCHA answer" still shows up on a wrong response.
The only remaining issue I still see is that the CAPTCHA form element is not highlighted (with the "error" CSS class) after a wrong response.

robloach’s picture

robloach
he/him
commented
Status: Needs review » Reviewed & tested by the community

Tested and it works!

robloach’s picture

robloach
he/him
commented
Status: Reviewed & tested by the community » Fixed

Excellent. Thanks for helping with this one.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)