As designed Option "Enable CAPTCHA for guests" does not enable it for login page.

J

Jonathan_Bathrough

Member
Affected version
2.3.6
Hello,

template "register_form" contains:
XML: 
<xf:captcharow label="{{ phrase('verification') }}" hint="{{ phrase('required') }}" context="xf_register" />

template "login" contains:
XML: 
                <xf:if is="$captcha">

                    <xf:captcharow label="{{ phrase('verification') }}" force="true" force-visible="true" context="xf_login" />

                </xf:if>

Captcha is enabled:
Code: 
Setup -> Options -> User registration
"Enable CAPTCHA for guests" is set up to Use hCaptcha


Issue Description:
When "Enable CAPTCHA for guests" is set up CAPTCHA is displayed and validated correctly on the sign-up (registration) page. However, on the sign-in (login) page, no CAPTCHA is displayed.
If the conditional <xf:if is="$captcha"> is removed from the "login" template, the CAPTCHA widget becomes visible. However, the CAPTCHA response is not validated on form submission, allowing login to proceed without requiring a correct CAPTCHA solution.

Expected Behavior:
CAPTCHA should appear on the login form when enabled in options ("Enable CAPTCHA for guests"), and the CAPTCHA response should be validated properly to prevent login if the CAPTCHA is incorrect.
 
The captcha is not designed to be displayed for every login attempt.

It is displayed conditionally if a number of failed login attempts are detected, depending on the failed login settings.

This is currently working as designed.

IMG_2927.webp
 
You'll need an Add-on to have a CAPTCHA for every login.

[XenConcept] Captcha login XenConcept

[XenConcept] Captcha login

This add-on allows you to set a captcha for each connect.

But why would you want to have this anyway?

When a login is performed there are basically 5 possible scenarios:
  1. The account was created by a human and this human tries to log in
  2. The account was created by a human but got compromised and another unauthorzied human tries to log in
  3. The account was created by a human but got compromised and a bot tries to log in
  4. The account was created by a bot and a human tries to log in with the recorded credentials
  5. The account was created by a bot and another bot tries to use the recorded credentials
Only scenarios 3) and 5) could probably benefit form a login CAPTCHA, do you really think that's worth the annoyance of CAPTCHAs?
 
Last edited:
Kirby is right. This is exactly why CAPTCHA on login isn’t available on all logins.

Deliberately putting barriers that will mostly affect legitimate users is a bad UX and should be avoided.
 
Kirby said:
The account was created by a human but got compromised and a bot tries to log in
Click to expand...
We should also name the technique credential stuffing, that has gotten very popular in the past years and seems to have already affected many XF installations (especially with a larger user base).

If it's an advanced hacker (e.g. every request a new IP-address) IMHO only a CAPTCHA or similar technique can avoid that type of attack.
 
Yes, this is a problem - but IMHO not as big to justify annoying everyone with a CAPTCHA on login.

There a quite a few things that could be done and that would be way less intrusive:
  • Encourage users to use 2FA
  • Probably strengthen password complexity checks, eg. reject very easy / common passwords like Password, Test, etc.
  • Check for leaked credentials
  • Check for unusual behaviour
    For example if a user account hasn't logged in for years and now tries to login from a Datacenter / Proxy / VPN IP
A CAPTCHA would not stop such attacks, in fact it could help to mask them as unsuccessful attempts will not trigger any action / alert / log or cause the bot to not even attempt login.
 

Similar threads

Abraham54
Not a bug XF 2.2.11 Clean Install missing Enable CAPTCHA for guests
Replies
2
Views
448
Abraham54
Abraham54
T
  • Question Question
XF 2.2 Enable CAPTCHA for guests on registration not working
Replies
0
Views
565
tiwale
T
Back
Top Bottom