Access CMS-Session

[Kumquats]

Is there a way to access CMSes Session?
I want to create an own Captcha...always having problems with the Captcha Modul to validate in the first attempt especially when I use it via ajax. Also no reload is possible as the Captcha Module provides a cached image.

Up to CMSmadesimple 1.9 I used in an own PHP-file the following Code to write my own variable for the Captcha:


# replace the outcome of __dir__ if in another directory
$dirname = '__dir__';
$session_key = substr(md5($dirname), 0, ;
@session_name('CMSSESSID' . $session_key);
session_start();
$_SESSION['kapt_number']=$mysecret;

(here follows the creation of the Captcha-Picture...)

And then a Veryfy - UDT in Formbuilder:


if ( $params['captcha'] == $_SESSION['kapt_number'] ){
return array(true);
}else {
return array(false, "Captcha neu eingeben");
}

In the UDT, I was able to access the Session and validate the form.

Now, I guess for security reasons not possible anymore. Is there another way?

[calguy1000]

we do not support accessing CMSMS sessions from PHP files that are not part of CMSMS modules.

[Kumquats]

Ah okay. Thanks for the quick reply.
Well actually the reason for this is my difficulties with Captcha.
An image directly created from a PHP-File, so you can reload it independently from the page or form (with new validation code etc.) makes more sense for me.

Captcha often doesn't validate in the first attempt. A captcha is already annoying, then to not validate although the input was correct, even more.

Well I am not so aquainted with these security issues and programming. Maybe there would be something possible with Skeleton Module...

[velden]

Not an answer to your question.

Have you considered using a visitor friendly way? I often use one extra form field with a name like 'email', 'url' or 'message' and hide that from visitors with some css.

Then in FB check that the field contains no data (regex validation).
Often that's enough to stop spam bots.

No complaints from customers about spam after this.

If you want to implement this in an existing form I'd suggest to use a name for this new field that is already used on your form. Of course you'd need to change the name of the existing field and change the email template accordingly (and perhaps form template if you customized it).

[Kumquats]

right, thx. Yes, I was. And also a time-check is possible - how long it takes to fill out the form.
But until now, I thought captcha would be the most effective way..and its the provided module.

So far, I haven't gotten much spam on my pages, was the Honepot-prevention the only spam-prevention, you used?

[JohnnyB]

I've been using almost the same technique for about 7yrs.
It uses a combo of javascript and server side regex to verify human users.

The javascript sets a special word into a hidden form field. You can use jQuery inside of User Defined Tag to make this easy. (jQuery library is required of course and needs to load before the snippet):

I place calls to jquery at the bottom of my page, so I just put this into my on doc ready javascript:

Code: Select all

<__script__ type="text/javascript">{literal}
$(document).ready(function(){
	$("#antispam").val("antispam");
});
{/literal}</__script>

It can also be printed from a UDT and then called into the form using the UDT options for formbuilder. Anyway, it just writes the word, "antispam" or whatever word you choose, into the a field with an ID of antispam...

Next, in formbuilder, create a hidden field called, 'antispam' - I hide using the form options and with CSS by setting a class for it.

Set an ID in the field options called, 'antispam'

Then, use some validation rules to check if the antispam field contains the correct word entered during form submission.
regex:

Code: Select all

/antispam/i

or replace 'antispam' with your own word....
Save the field settings.

Generally, spam bots are command line or some other interface that doesn't parse javascript. And, a spammer wants to fill in every empty field. So, when a spam bot comes by, it will fill in the field with something other than what the regex specifies and then the form is not submitted. Spam has not been a problem with this at all.

A question often asked is what if the user doesn't support javascript?

I used to care that some people may have javascript turned off and would not be able to send via a form. But, it is such a low percentage now. It hasn't been an issue for 100's of site's using this type of approach. Also, most legitimate sites will have an email address provided somewhere on the contact page or in the footer/header, so if a non-javascript user was stuck, they would still have the means to contact....

But, really, just an empty field with regex checking that it is empty upon submission would be sufficient. I've just been doing it with JS out of habit

[velden]

So far, I haven't gotten much spam on my pages, was the Honepot-prevention the only spam-prevention, you used?

Well, I implemented it on a few customer's site that complained about spam. After implementation they didn't complain anymore (all of them). So I think it worked but I did not really ask them about it.

[Kumquats]

Thx guys, this gives me more orientation. So I will handle it that way and check for a while if any spam occurs..

[Kumquats]

So,
I implemented these Spam-Preventions...a honeypot and a time-to-fill the form.
Now our Game to win a puppet has been spammed by obviously maschin-generated emails.
They look like this: uwe.tacker570140@skyghost.de

A made-up name and a 6 digit number and a host which doesn't exist officially. As email-host , it propably exists.

They fill out the form every 20 seconds so my time-to-fill prevention is useless.

So, I can say now, that these Spam-Preventions are useless and I will return to captcha and an other thing and will let you know on this.
Also it might be a question on how attractive a spamming or betrayal might be...

[velden]

If bots are custom made for your form, you can't use this solution.

However, consider, exchanging some field names.

If your using a field 'email' now, make that the one you require to stay empty and introduce en new name for the real email field.