Caching allows captcha validation bypass

Created on 21 August 2025, about 1 month ago

Problem/Motivation

For some site configurations where forms are being cached, ALTCHA validation can potentially be bypassed.

Steps to reproduce

Create any form with ALTCHA configured as CAPTCHA type
Make sure the internal page cache module is enabled, and configured
As an anonymous user, open the created form 2 times in the browser. It should have the same captcha_sid hidden field value when inspected via browser
As an anonymous user, fill in the ALTCHA challenge and submit the first form
As an anonymous user, skip the ALTCHA challenge (the required property should manually be removed via the browser inspector) and submit the second form

The second form submit should throw a validation error, but is actually submitted since the captcha_sid was already marked with status 1 in the captcha_sessions table.

Proposed resolution

Let the CAPTCHA module know the ALTCHA widget is cacheable, since we always use a custom validation callback, and don't store a solution in the captcha_sessions table anyway.

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇧🇪Belgium robindh

Live updates comments and jobs are added and updated live.

Merge Requests

!5Caching allows captcha validation bypass
Open
🇧🇪Belgium robindh
updated about 1 month ago

Comments & Activities

Issue created by @robindh
Comment about 1 month ago →
🇧🇪Belgium robindh
robindh → changed the visibility of the branch 3542415-caching-allows-captcha to hidden.
Merge request !5Mark the ALTCHA captcha type as cacheable → (Open) created by robindh
Comment about 1 month ago →
🇧🇪Belgium robindh

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024