Captcha input rejected even when it's correct

[drewgg]

Installation: Joomla 1.5.14
Template: JA_Purity
Jcomment Version: 2.1.0.0
Joomla caching is on.

Our site requires the captcha for unregistered users to post comments. However we've noticed that often the captcha is rejected, even though the input is clearly correct, sometimes it needs to be refreshed 5+ times before a captcha is found that is accepted when you type it in.

Is this a known problem? Is there any solution as of yet?



edit:

I edited jcomments.ajax.php and jcomments.captcha.php slightly so that it would output what the user inputted and what it's being matched against. I've attached a screenshot of the results. Every time the page loads the image does not match with what is in $_SESSION['comments-captcha-code']. After the captcha is refreshed (via 3 fails or from hitting the refresh button) the new captcha does match up with the new image.

Originally even after refreshing the captcha the captcha would still incorrectly fail, but I've been unable to recreate that aspect of the issue after making the mentioned edit to the system (the captcha now always matches with the image correctly after it gets refreshed). weird.

[smart]

Seems your browser or proxy is strongly caches image and doesn't reload it...

[drewgg]

You're right; I should have thought of that.


To solve this issue I created a 1 line javascript file that calls the refresher:

Code:

window.onload=function(){jcomments.clear('captcha');}

uploaded it to components/com_jcomments/js/refresh_captcha.js


and added it to any page that loads jcomments with the captcha (line 210-212 of /components/com_jcomments/jcomments.php):

Code:

208 if (JCOMMENTS_JVERSION == '1.5') {
209 $document = & JFactory::getDocument();
210-> if($acl->check('enable_captcha')) {
211-> $document->addScript( 'components/com_jcomments/js/refresh_captcha.js' );
212-> }
213 }

That way, even if the page is strong cached by the browser, the captcha will refresh.

Thanks for pointing me in the right direction.

[drewgg]

I did that and same problem... captcha works only if i click " Refresh "

  That stinks that it didn't work for you. There was a slight error in my original code though. Try changing the refresh_captcha.js file to this:

components/com_jcomments/js/refresh_captcha.js line 1:

Code:

window.onload=function(){
jcomments.clear('captcha');
}

Since refresh_captcha.js is being called in the <head> "jcomments.clear('captcha');" was being executed before the rest of the page is rendered (including the main jcomment code) so you probably were getting a "jcomments is undefined" javascript error.

Sadly though, even after this fix I don't think this solution works. It logically seems correct and it seemed to have resolved the issue on our site for a while but magically it started happening again recently even with this "fix" in place. Even worst, now when it does happen clicking the captcha refresh button numerous times doesn't fix it, nor does clearing the Firefox cache and reloading the page fix it either.

For now on my site I'll be making it so that as long as you type in exactly 5 characters, it'll accept the captcha as correct regardless of what those characters are. This should keep still keep out the auto-spammers while allowing users of strong-caching browsers (like Firefox) to post comments without ever encountering this issue.

If you'd like to do the same for your site here is the change you'll need to make:

/components/com_jcomments/jcomments.captcha.php line ~29:

original:

Code:

return (($code != '') && ($code == $_SESSION['comments-captcha-code']));

edit:

Code:

return (strlen(utf8_decode($code)) == 5);

That takes the code the user entered, decodes it out of UTF-8 and counts it. If it's 5 characters it returns true, else it returns false (the urf8_decode() is optional when I thought about it since all the captcha characters are within the 1-byte UTF-8 domain, but I left it in just in case).

FYI, this new work-around doesn't depend on my non-working one so you can remove those changes and just have this one.

I hope a better solution is found sometime though...

[smart]

Code:

return (strlen(utf8_decode($code)) == 5);

it isn't good idea - this code don't compare given code with stored in session so this code don't protect from spam

I thought about it since all the captcha characters are within the 1-byte UTF-8 domain

all used chars are listed in /com_jcomments/libraries/kcaptcha/kcaptcha_config.php and by default they are:

Code: (php)

$allowed_symbols = "23456789abcdeghkmnpqsuvxyz";

[lohck]

For now on my site I'll be making it so that as long as you type in exactly 5 characters, it'll accept the captcha as correct regardless of what those characters are. This should keep still keep out the auto-spammers while allowing users of strong-caching browsers (like Firefox) to post comments without ever encountering this issue.

If you'd like to do the same for your site here is the change you'll need to make:

/components/com_jcomments/jcomments.captcha.php line ~29:

original:

Code:

return (($code != '') && ($code == $_SESSION['comments-captcha-code']));

edit:

Code:

return (strlen(utf8_decode($code)) == 5);

Thanks for this great workaround! I was close to removing jcomments from my site until I see your hack

Not the most ideal but at least my guests can post now