Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Captcha mod. for Login using recaptcha. Easy mod. to slow down abusers.  (Read 13327 times)

0 Members and 1 Guest are viewing this topic.

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1504
  • aka 'i-imagine'
    • Home Page

See second post for improved modification
For Plugin version click here


This modification will put a Captcha (recaptcha) on the Login page. Users will have to enter two words to log in. One file - login.php is modified. Two files - captcha_errmssg.php and recaptchalib.php - are added to the Coppermine root directory. You will need to get a set of keys and the file - recaptchalib.php - from recaptcha.net. They are all free. Like the other recaptcha mods I have posted this will run without other changes to your database or gallery configuration. To uninstall the mod. simply replace file - login.php - with a clean copy. Example is now running at http://gallery.josephcarver.com/natural/ see link below for newer demo.

Quote
in file login.php find:
Code: [Select]
$cookie_warning = '';
Quote
insert the following to look like this with your key where indicated
Code: [Select]
if ((isset($_POST['submitted'])) && (!(USER_ID))){
require_once('recaptchalib.php');    
$privatekey = "YOUR PRIVATE RECAPTCHA KEY HERE";
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
die(header('Location: captcha_errmssg.php'));
}
}
Quote
find the following:
Code: [Select]
             <td align="center" class="tablef"><a href="forgot_passwd.php" class="topmenu">{$lang_login_php['forgot_password_link']}</a></td>
Quote
Insert the following to look like this with your key where indicated
Code: [Select]
 </tr>
<tr>
<td class="tableb_compact" align ="center" valign= "top" colspan="3" height="150">
<br>Type the two words with a space. Then click Login <br>
<script>
var RecaptchaOptions = {
   theme : 'white'
};
</script>
<script type="text/javascript"
   src="http://api.recaptcha.net/challenge?k=<YOUR PUBLIC RECAPTCHA KEY HERE>">
</script>
<noscript><h3> <br><u>YOU HAVE NO JAVASCRIPT!<br>1) Solve the challenge<br>2) Copy and Paste the key
  into the lower box<br>3) Click Submit (it's easy with javascript on)</u><h3>
   <iframe src="http://api.recaptcha.net/noscript?k=<YOUR PUBLIC RECAPTCHA KEY HERE>"
       height="300" width="500" frameborder="0"></iframe><br>
   <textarea name="recaptcha_challenge_field" rows="3" cols="40">
   </textarea>
   <input type="hidden" name="recaptcha_response_field"
       value="manual_challenge">
</noscript>
  <h3>Click Get a new challenge (above) for new words</h3>
                                </td>
</tr>
                                <tr>
Quote
Create a response file, name it captcha_errmssg.php
Code: [Select]
                 

<?php
define('IN_COPPERMINE'true);
require('include/init.inc.php');
pageheader('RECAPTCHA ERROR PAGE');
// 090308// 090407
   
 starttable("100%");
    
?>

     <tr>
<h1 align="center">
<a href="#" onclick="history.go(-1);return false;"><b><font color= "red">
SORRY, THERE WAS AN ERROR WITH THE </br>RECAPTCHA.
CLICK HERE AND TRY AGAIN.</br></br>(OR USE THE BACK BUTTON ON YOUR BROWSER)</b></font></a>
</br>
</h1> </div>
  </tr>
<?php
endtable();
//  ends here
pagefooter();
ob_end_flush();
?>

Upload the mod.file  login.php , the files recaptchalib.php and captcha_errmssg.php to your gallery root directory. Test and you will now have captcha protection for your log in page. The example above puts the Login button below the captcha and has only one style applied to the image. Other css styles can be applied to the display. The mod was applied to  Coppermine version: 1.4.21. Both of my gallery installations are now running these captchas ( i-imagine.net and login captcha here at gallery.josephcarver.com/natural/ see link below for newer version)with sef urls, remove_modify and cpmfetch. See my other post for comments, ecards and registration mods. Hoping this helps......
i-imagine
« Last Edit: September 06, 2009, 06:03:05 pm by i-imagine »
Logged

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1504
  • aka 'i-imagine'
    • Home Page

AJAX method is used here to display a visual challenge - ReCAPTCHA - for users trying to log in. This method is an improvement over the javascript method above, solving conflicts with other scripts and plugins that rewrite the page header.

Demonstration link here: gallery.josephcarver.com/natural/demo_recaptcha_login.php
user = foo   password = bar  This link is not accessible from the normal gallery login link from the menu. It will act the same, but with a cookie error.

In order to use reCAPTCHA, you need a public/private API key pair. Links are below.

Error handling is performed by the cpg die function. The captcha validation occurs before testing the user input (username/password validation) and will not be logged as a failed log in attempt. This might slightly "harden" login since the validation is tested on a remote server and only the validation response is passed to login.php.  The captcha depends on the user having javascript enabled, with no <noscript> alternative. Because of the bad traffic that I see trying to register, make comments, etc comes from "agents" that don't have js. and my galleries needs js for users nothing seems lost to users without js (opinion!)

To uninstall this mod. (if you can't log in) just replace file login.php with a clean copy. This mod. does not affect the database or gallery configuration. ReCAPTCHA has proven so far to be reliable for me on comments, ecard and registration forms.

    1 - Register and get keys and file from recaptcha.net
    • Private (hidden) and Public (in form) Keys
    • file  recaptchalib.php     copy to your gallery root directory

      2 - Modify these files
      • login.php - code as below - with your keys where shown
      • template.htm (for each theme that you use)


      Quote
      in file login.php find[/list][/list]
      Code: [Select]
      $cookie_warning = '';
      Quote
      add this below, insert your PRIVATE key where shown
      Code: [Select]

      if ((isset($_POST['submitted']))) {
      require_once('recaptchalib.php');    
      $privatekey = "YOUR PRIVATE RECAPTCHA KEY GOES IN HERE";
      $resp = recaptcha_check_answer ($privatekey,
      $_SERVER["REMOTE_ADDR"],
      $_POST["recaptcha_challenge_field"],
      $_POST["recaptcha_response_field"]);
      if (!$resp->is_valid) {
      cpg_die(CRITICAL_ERROR, 'Sorry, Captcha Error - Go Back and Try Again');
      }
      }

      Quote
      in file login.php find
      Code: [Select]
      <td align="left" class="tablef"><input name="submitted" type="submit" class="button"

      value="{$lang_login_php['login']}" tabindex="4" /></td>
      Quote
      replace it with - insert your PUBLIC key where shown
      Code: [Select]
      <tr>
             <td class="tableb_compact" align ="center" colspan="3">
      <div><br></div>
      <script>
      function showRecaptcha(element, submitButton, themeName) {
         Recaptcha.create("YOUR PUBLIC RECAPTCHA KEY GOES IN HERE", element, {
              theme: 'white',
              tabindex: 0,
              callback: Recaptcha.focus_response_field
        });
         hideSubmitButtons();
         document.getElementById(submitButton).style.visibility = "visible";
      }

      function hideSubmitButtons() {
         document.getElementById('submit_button_1').style.visibility = "hidden";
        
      }

      function destroyRecaptchaWidget() {
         hideSubmitButtons();
         Recaptcha.destroy();
      }
      </script>
      <form method="post" action="">
      <p>
      <input type="button" class="button"  value="Click here - type the words - click

      {$lang_login_php['login']}" onclick="showRecaptcha('dynamic_recaptcha_1', 'submit_button_1',

      'red');"></input>
      <div id="dynamic_recaptcha_1"></div>
      <input name="submitted"  style="visibility: hidden"  type="submit" class="button"

      value="{$lang_login_php['login']}" tabindex="4" id="submit_button_1" /></input>
        <div><br></div>
            <input type="button" class="comment_button" value="Hide the reCAPTCHA widget"  

      onclick="destroyRecaptchaWidget();"></input>
      <br><br>
            </td>


      Quote
      insert in the <head> in your template.htm file(s) - for each theme you use
      Code: [Select]
      <script type="text/javascript"
       src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>

      Upload and you are done. This style places the captcha box above the login link and it is hidden until called. Other styles and language options can be used. For information on how this works see this link: http://recaptcha.net/apidocs/captcha/client.html
      For my gallery, it's content and my users this mod. would be one too many "speedbumps". For those that have trouble with abusers trying to log in, I hope it helps.

      To create a testing file for a live gallery
      make one more mod. to login.php and rename it. demo_recaptcha_login.php
      Quote
      in file login.php find:
      Code: [Select]
      echo '<form action="login.php?referer='.$referer.'" method="post" name="loginbox">';
      Quote
      replace with
      Code: [Select]
      echo '<form action="demo_recaptcha_login.php?referer='.$referer.'" method="post" name="loginbox">';
      This will return you to the mod. form if user data input is in error. Otherwise it would return to login.php. This will also keep your mod. hidden from users until you undo this change and rename it back to login.php.


      « Last Edit: June 18, 2009, 05:06:26 pm by i-imagine »
      Logged
      Pages: [1]   Go Up
       

      Page created in 0.021 seconds with 19 queries.