1 Topic by apmuthu (edited by apmuthu 09/14/2012 04:04:29 pm)

  • From: Singapore, India, Chennai
  • Registered: 05/02/2009
  • Posts: 6,089

Topic: Securimage CAPTCHA Integration into FA

Would you like the Securimage CAPTCHA integration to get into the code base for the current v2.3.11+ in mercurial repo?

Details at:
Feature Posted At Bugs (#1783) Site

Download in debian with:

cd /var/www
wget -O securimage.tar.gz https://github.com/dapphp/securimage/tarball/master
mkdir -p /var/www/frontac/securimage
tar -xzf securimage.tar.gz -C /var/www/frontac/securimage --strip-components=1

FA Securimage Integration notes:

FA uses it's own session name computed using the domain / uri string it was installed at.
FA's JavaScripts for Ajax and other HttpRequests use the default PHPSESSID session name.
The Securimage SQLite DB is not being used by default andonly SESSION variables are used.
The Audio files account for over 95% of the securimage download size.

CAPTCHA Session variables used:

$_SESSION = Array (
......

    [securimage_code_disp]  => Array ( [default] => bnGp24 ) 
    [securimage_code_value] => Array ( [default] => bngp24 ) 
    [securimage_code_ctime] => Array ( [default] => 1347630909)

)

The files:

Place the securimage library in the securimage folder at the webroot.
Copy the securimage/securimage_show.php to securimage/securimage_show_n.php

File: securimage/securimage_show_n.php
Insert at the very top after the opening PHP tag:

$sn = (isset($_GET['sn']) ? trim($_GET['sn']) : 'PHPSESSID');
$oldsess = session_name($sn);

Append at the very last:

session_name($oldsess);

File: config.default.php
Append before last closing PHP tag:

/*  Should FA use CAPTCHA for login form?
    false for no       true for yes
    Get the securimage code at https://github.com/dapphp/securimage/zipball/master
    Extract the contents into the securimage folder under the webroot.
*/

    $use_captcha_for_login = false;

The above variable must be set to true for CAPTCHA use.
It defaults to false for backwards compatibility.


File: access/login.php
Insert at Line 102:

//         Use CAPTCHA only for fresh login and not for timeouts
        if ($use_captcha_for_login && !($login_timeout)) 
        {
            start_row();
?>
            <td colspan="2">
                <img id="siimage" 
                    style="border: 1px solid #000; margin-right: 15px" 
                    src="securimage/securimage_show_n.php?sn=<?php echo session_name(); ?>&sid=<?php echo md5(uniqid()) ?>" 
                    alt="CAPTCHA Image" align="left">
                <object type="application/x-shockwave-flash" 
                    data="securimage/securimage_play.swf?bgcol=#ffffff&amp;icon_file=securimage/images/audio_icon.png&amp;audio_file=securimage/securimage_play.php" 
                    height="32" width="32">
                  <param name="movie" 
                    value="securimage/securimage_play.swf?bgcol=#ffffff&amp;icon_file=securimage/images/audio_icon.png&amp;audio_file=securimage/securimage_play.php" />
                </object>
                &nbsp;
                <a tabindex="-1" style="border-style: none;" href="#" title="Refresh Image" 
                    onclick="document.getElementById('siimage').src = 'securimage/securimage_show_n.php?sn=<?php echo session_name(); ?>&sid=' + Math.random(); this.blur(); return false">
                <img src="securimage/images/refresh.png" alt="Reload Image" 
                    height="32" width="32" 
                    onclick="this.blur()" align="bottom" border="0"></a>
                <br />
                <strong>Enter Code*:</strong><br />
                <input type="text" name="ct_captcha" size="12" maxlength="8" />
            </td>
<?php
            end_row();
        }

File: includes/current_user.inc
Insert at Line 78:

            if (!($this->timeout)) captchacheck();

Append following function before last closing PHP tag:

function captchacheck() {
    global $use_captcha_for_login;

    if ($use_captcha_for_login) {
        // make sure that login_timeout is not affected
        if (isset($_POST['ct_captcha'])) $_SESSION['ct_captcha'] = $_POST['ct_captcha'];
        // Check CAPTCHA
        require_once 'securimage/securimage.php';
        $securimage = new Securimage();

        $usrcaptcha = $_SESSION['ct_captcha'];

        if ($securimage->check($usrcaptcha) == false) {
            // CAPTCHA Failed
            echo "The security code entered was incorrect.<br /><br />";
            echo "Please go <a href='javascript:history.go(-1)'>back</a> and try again.";
//            captcha session variables used - unset still cannot prevent cached image
            // unset($_SESSION['securimage_code_disp']);
            // unset($_SESSION['securimage_code_value']);
            // unset($_SESSION['securimage_code_ctime']);
            exit;
//            return false;
        } else {
            // CAPTCHA OK
            return true;
        }
    } else return true;

}

apmuthu's Website

  • Registered: 12/25/2007
  • Posts: 2,446

Re: Securimage CAPTCHA Integration into FA

I have ready to publish another simple fix, maybe better suitable for hosted FA accounts. The fix introduces configurable delay after some failed login attempts. Captcha activated on every login attempt seems to be more restrictive for real user than for automated  spam scripts using OCR tools. Thank you very much for the contribution.
Janusz

  • From: Singapore, India, Chennai
  • Registered: 05/02/2009
  • Posts: 6,089

Re: Securimage CAPTCHA Integration into FA

Configurable Delay after specified login attempts is quite nice. May need to store login attempts somewhere or stale failed logins would false trigger.

Since the captcha is only on initial login (not for timeouts) and is configurable in the config.php would it's integration into the base code prove troublesome? The download size would become huge due tot he audio scripts - maybe another config variable for controlling audio enablement on captcha would be desirable. Yes the CAPTCHA proved very tiresome during repetitive testing....

Can it be encapsulated as an optional plugin (bundled with securimage code) ?

apmuthu's Website

4 Reply by apmuthu (edited by apmuthu 09/17/2012 11:34:19 am)

  • From: Singapore, India, Chennai
  • Registered: 05/02/2009
  • Posts: 6,089

Re: Securimage CAPTCHA Integration into FA

If it doesn't make it to the code base, can it find a place in the Wiki? (Placed in Wiki)

Now that the failed login delay feature has been introduced in v2.3.12, the above code needs to modified carefully in the light of changes to login.php and other files listed above.

apmuthu's Website

  • Registered: 12/25/2007
  • Posts: 2,446

Re: Securimage CAPTCHA Integration into FA

Your is captcha integration is good piece of code, so I would like to make it available as optional extension. Anyway it will take me some time due to other works in progress I have just now, so please be patient.

Janusz

6 Reply by apmuthu (edited by apmuthu 09/17/2012 11:33:42 am)

  • From: Singapore, India, Chennai
  • Registered: 05/02/2009
  • Posts: 6,089

Re: Securimage CAPTCHA Integration into FA

Thanks Janusz, no hurry. Meanwhile, have posted updated LoginDelay Fix for BugPost 1785

apmuthu's Website

  • zin
  • New member
  • Offline
  • Registered: 03/08/2014
  • Posts: 3

Re: Securimage CAPTCHA Integration into FA

Not working, after login main page blank with blue background. what happened.

  • From: Singapore, India, Chennai
  • Registered: 05/02/2009
  • Posts: 6,089

Re: Securimage CAPTCHA Integration into FA

Which version of FA are you using and what platform and LAMP version is it being deployed in.
Have you downloaded the securimage library and integrated it in as well?

apmuthu's Website

  • zin
  • New member
  • Offline
  • Registered: 03/08/2014
  • Posts: 3

Re: Securimage CAPTCHA Integration into FA

i m using version FrontAccounting 2.3.19.

10 Reply by apmuthu (edited by apmuthu 06/16/2014 04:52:36 am)

  • From: Singapore, India, Chennai
  • Registered: 05/02/2009
  • Posts: 6,089

Re: Securimage CAPTCHA Integration into FA

Upgrade to v2.3.21 and then modify the changes in the first post in this thread to suit the current version of the files that need to be changed.

The devs were expected to have made it into an extension by now.

apmuthu's Website