1 Reply Latest reply on Dec 1, 2010 8:07 AM by Peter Haight

    SEAM CAPTCHA challenge and response is remembered once it is solved correctly

    Peter Haight Newbie

      Scenario:


      Use a SEAM CAPTCHA to prevent automated registration requests from bots


      Problem:


      Once a new registrant successfully answers the challenge and submits the registration request, subsequent visits to the registration page still display the original CAPTCHA and correct response.


      Proof:


      I was trying to determine if I was correctly using the CAPTCHA framework included in SEAM jboss-seam-2.2.0.GA.  References included the seam_reference.pdf included with the release as well as various forum post on this site.  As I needed to register on this website to post this, I thought I would see how this website behaves with respect to registering as a new user and revisiting the registration page once completed.  The same behavior is displayed.  The CAPTCHA challenge answered when registering my account on this website the first time is displayed with the correct answer the next time the page is visited.


      Configuration:


      jboss-seam-2.2.0.GA -> jboss-5.1.0.GA -> Ubuntu 8.10


      More Details:


      I have observed that a new CAPTCHA is presented if a user logs into and out of the application in between visits to the registration page.  The default SEAM CAPTCHA also has a scope declaration of SESSION, and the example extension of that class, HitchhikersCaptcha, is also SESSION scoped.  Is this appropriate considering that no user is ever actually logged into the application/system as a result of successfully registering for an account?  Would PAGE or CONVERSATION scope be better suited for a task such as this in order to prevent automated attacks?


      I have already referenced SEAM-Forum-CaptchaNotUpdatingWithoutNewSession, but it does not seem to be directly applicable.  If there are any suggestions or work around solutions available, please respond, it will be greatly appreciated.