• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Registration Form Timer 2.0

No permission to download

tenants

Well-known member
#41
Just looking at this, since I'm about to add something similar to FoolBotHoneyPot

... you might find you still get a few slip through, and you can improve on this.

Some bots (possibly < 1%) do not visit the registration page at all, they simply POST directly to the actionRegister request, this means they wont send the following param:
Code:
$timeThen = $this->_input->filterSingle('time', XenForo_Input::UINT);
So your
Code:
$timeTaken = $timeNow - $timeThen;
Becomes
Code:
$timeTaken = $timeNow; // This is obviously large
So some bots might seem to take forever (but actually slip though just because they don't send this param)

What you could do, is instead of this
Code:
$timeTaken = $timeNow - $timeThen;
First check that the param is set:
Code:
$timeTaken= (($timeThen) ? $timeNow - $timeThen : 0);
 
#42
I think you should use session instead of relying on $_REQUEST... it's pretty simple, just use:
PHP:
XenForo_Application::get('session')->set($name, $value);
XenForo_Application::get('session')->get($name);
though I am not sure if it's 'session' or 'sessions' :oops:
 

tenants

Well-known member
#43
There is an issue with this, the $timeThen is sent as a template value
All post request can be manipulated and it's even easier and more obvious to do so when you add it visibly to the template.

So sending it as a template value might not be a good idea (it will work for a while, since bots currently aren't targeting this)

Fundamentally making a bot pause for 15 seconds wouldn't be hard, but for now ... since you are sending the $timeThen as a POST request, it makes it easier to bypass (just by manipulating the POST request.. or even manually editing the template value)

Instead of sending it as a POST request to the actionRegister, you could save it to the database directly at the time the user visits the registration page, this would be from server - > db directly, so could not be manipulated... unless they sat between server and db (which suggests you have bigger issues)

So, I would suggest saving the $timeThen to the db and retrieving it from the actionRegister (also still checking that it exists as above)
 

craigiri

Well-known member
#44
Yeah, I noticed a couple 0 seconds too! Many are 1 second. I think some of the folks set the scripts to take 5 seconds or so in an attempt to act human.

This caught 300 since I installed it a couple days ago. I did notice that a bunch of them would have also been rejected by the other checks (country, SFS) had they actually registered. But every one that you stop is a big win.....I'd rather beat them all over the head repeatedly than miss some!
Screen shot 2012-11-30 at 8.50.34 PM.png
 

tenants

Well-known member
#47
okay, I just checked, XenForo requires a session token (as a cookie) before you can log-in or register...
Some bots post directly to the actionRegister (regardless of what they require)... they possibly pick the session token up from the earlier actionLogin and POST this through (think of some bots as sitting in the middle like Paros or Burp ... the front end page is irrelevant)

They don't care what input fields are present on the registration page, it's for this reason that things like required custom fields are ineffective for a small fraction of bots (required fields are not actual required if you check the PHP, see here.. this is a bug)

Interestingly, however I've noticed MOST XRumer bots POST everything that's on the registration page (so it's only a small fraction that are POSTing directly)... so we can improve this,
by

1) Checking that $timeThen is sent (in this case)
2) Not sending the value by a method that can easily be manipulated. In this case putting the value in a the template and POSTing it, or just POSTing it (even session cookies) can all be manipulated, sending it directly to the DB can not (unless you happen to sit in between server and db)
 

tenants

Well-known member
#48
You should probably handle the case where a user makes an error (CAPTCHA for instance)

The form is sent back (almost complete except password / CAPTCHA ), the timer is reset in your case, and the user completes the form within a few seconds
(I know this, since I have to figure out how to handle this myself now)
 

borbole

Well-known member
#50
This looks like a very handy mod to have. Thank you Chris, you saved me quite some time as I was planning to code something similar as I have had a lot of spamming lately.
 

Chris D

XenForo developer
Staff member
#51
This looks like a very handy mod to have. Thank you Chris, you saved me quite some time as I was planning to code something similar as I have had a lot of spamming lately.
Thanks Borbole.

It is incredibly effective. I will be making some of the improvements soon as suggested by tenants.
 

Core Freedom

Well-known member
#53
Great add-on, Chris. Thank you! I'm having a bit of trouble activating it. I uploaded the unzipped folder via FTP to my public_html folder. But the add-on is not in my admin panel. When I try uploading it from the XF admin panel it tells me that it's already uploaded. Would you mind giving more detailed instructions on what exactly (and how) to install this?
 

Chris D

XenForo developer
Staff member
#54
1) Download the add-on zip file.
2) Extract the contents of the zip file to your computer.
3) Upload the contents of the upload folder to your public_html folder using FTP
4) In the zip file was an XML file.
5) Go to Admin CP > Install Add-On > Browse > Find the XML file > Click Install add-on
 

Core Freedom

Well-known member
#55
That didn't work either (and I know it's on my end). Here is what I did:

1. Unzipped folder
2. Uploaded the folder within the unzipped folder called 'upload' and the html file via filezilla to the public_html folder
3. When to the XF admin panel, install add-on/browse/xml file and clicked 'install add on'

I got this error message: The files associated with this add-on could not be found. Please upload them and try again.
 

Chris D

XenForo developer
Staff member
#56
I didn't say upload the upload folder. I said upload the contents of the upload folder. So the stuff inside it, not the actual folder itself. Go actually in to the upload folder and upload what is inside it.

The same goes for that 1.1.3 upgrade we're discussing in the other thread.
 

Core Freedom

Well-known member
#57
Nope. Doesn't work either. Here is the problem I have with most instructions from people who upload stuff all the time and know exactly where things go, which folder to upload, etc. To a complete non-techie like myself, I am following the exact step by step guidance and don't 'know' from experience what and where to upload things.

Your instructions say to 'unzip' the folder and then to upload the 'contents.'

There are a bunch of steps missing in these instructions because obviously the folder when unzipped is still called 'RegFormTimer.' The contents of THAT folder are the 'upload' folder and the 'xml' file. Per your instructions, these are the contents of the folder. But that doesn't work.

When I clicked on the 'upload' folder I get to a 'library folder.' So I uploaded that since that is the content of the previous content folder called 'upload.' But that doesn't work either. Within the 'library' folder there is another content folder called 'RegFormTimer' and so I uploaded that and that didn't work either. So I went inside the 'RegFormTimer' folder and there are 3 folders in there and 2 php files. I uploaded these 5 things into the public_html folder but that still gives an error message.

I know these things are totally second nature to you because you're the expert. To me, however, who relies on step by step guidance almost all of the instructions on how to upload something are missing steps in between (not just with your instructions, this is across the board). That's why I can't do most of the things myself because the instructions are just not detailed enough.

Anyways - I'm getting ready to give up. Thought I followed your instructions but obviously I still must be missing a step in there somewhere.
 

Chris D

XenForo developer
Staff member
#58
I have not once said "'unzip' the folder and then to upload the 'contents'"

That is not what my instructions say. I will try to be more clear:

1) Download the ZIP file to your computer.
2) Extract the ZIP file to your computer.
3) Once the files have been extracted, find within those files a folder called "upload".
4) Go inside the folder called "upload".
5) The contents of this folder (the folder called upload) need to be uploaded to the root of your XenForo installation (this is usually the public_html folder) - (This is what we mean by uploading the contents of the upload folder. There's a folder named upload. Upload the stuff inside it).
6) In the Admin CP, Install Add-on, Browse and find in the previously extracted files, the file ending in .xml. Click Install add-on.
 

Core Freedom

Well-known member
#59
My bad, I thought unzip and extract are the same thing. I did extract the files. And I did what you suggested (in point 5) and uploaded the contents of the 'upload' folder. I still get an error message. It's okay, I give up for now. Thank you for all your help and I'm sorry for being such a bear. :(