Page MenuHomePhabricator
Create Task
Maniphest T113700

one CAPTCHA (per action) should be enough to confirm humanity/ smart enough bot
Open, MediumPublic
Actions

Description

Doing some action (creating account, editing article etc) which requires CAPTCHA may fail in the post action process (invalid username selected, AbuseFilter prevent editing etc) - in such case CAPTCHA shouldn't be required again. Requiring CAPTCHAs again and again is very unfriendly.

Possible solutions:

  • once a user filled CAPTCHA correctly for some action token, don't require it again
  • store CAPTCHA cookie locally for short time and allow the user to skip captchas

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add the possibility to solve a CAPTCHA only once in a configurable timespanmediawiki/extensions/ConfirmEditmaster+105 -10
Customize query in gerrit

Related Objects

Event Timeline

eranroz created this task.Sep 25 2015, 8:22 AM
eranroz raised the priority of this task from to Needs Triage.
eranroz updated the task description. (Show Details)
eranroz added a project: ConfirmEdit (CAPTCHA extension).
eranroz subscribed.
Restricted Application added subscribers: Florian, Aklapper. · View Herald TranscriptSep 25 2015, 8:22 AM
Florian triaged this task as Medium priority.Sep 25 2015, 8:50 AM

That sounds reasonable! I think it would be possible to save such an information in redis/memcached/objectcache, e.g. the time when the CAPTCHA was solved (so a user needs to solve a new CAPTCHA after, e.g., 10 minutes) and a unique identification of one session.

Florian moved this task from Backlog to In discussion on the ConfirmEdit (CAPTCHA extension) board.Sep 25 2015, 8:50 AM
Florian claimed this task.Jan 22 2016, 7:14 PM
Florian moved this task from In discussion to Awaiting Code Review on the ConfirmEdit (CAPTCHA extension) board.Jan 22 2016, 7:18 PM
gerritbot subscribed.Jan 22 2016, 7:18 PM

Change 265791 had a related patch set uploaded (by Florianschmidtwelzow):
Add the possibility to solve a CAPTCHA only once in a configurable timespan

https://gerrit.wikimedia.org/r/265791

gerritbot added a project: Patch-For-Review.Jan 22 2016, 7:18 PM
Florian mentioned this in T22661: Conflict between the Abuse Filter and the Captcha.Feb 13 2016, 5:44 PM
Samwalton9-WMF subscribed.Feb 13 2016, 5:45 PM
jayvdb subscribed.Feb 13 2016, 6:44 PM

once a user filled CAPTCHA correctly for some action token, don't require it again

What is "some action token"?

store CAPTCHA cookie locally for short time and allow the user to skip captchas

This approach, and the patch, means that once a human has solved the CAPTCHA, the session can be used and abused by a bot.

It is critical that if a CAPTCHA is going to last more than one action, that the CAPTCHA only lasts for a predetermined number of edits, as well as any time limit. A lot of edits can be done in a very short period of time.

IMO the CAPTCHA should last only until the user has successfully completed one write operation for the action type that triggered the CAPTCHA, with a time limit of course.

A simpler implementation is that a CAPTCHA lasts until the next successful write action of any type.

i.e. if they continue to be unsuccessful, for other reasons, they dont need to solve CAPTCHA again. But as soon as they have completed one write operation, a CAPTCHA is required again.

He7d3r subscribed.Feb 18 2016, 2:40 PM
MusikAnimal subscribed.Feb 28 2016, 4:30 AM
Florian merged a task: T134081: IP users shouldn't be asked to pass captcha every time they add or edit an article.May 1 2016, 12:25 PM
Florian added a subscriber: Yurivict.
gerritbot added a comment.Aug 15 2016, 2:59 PM

Change 265791 abandoned by Florianschmidtwelzow:
Add the possibility to solve a CAPTCHA only once in a configurable timespan

Reason:
This is a fairly bad idea :/

https://gerrit.wikimedia.org/r/265791

Florian removed Florian as the assignee of this task.Aug 15 2016, 2:59 PM
Florian mentioned this in T154784: Correctly filled CAPTCHA must not be requested again, even if something else in a form is incorrect.Jan 9 2017, 4:27 AM
Amire80 merged a task: T154784: Correctly filled CAPTCHA must not be requested again, even if something else in a form is incorrect.Jan 9 2017, 4:29 AM
Amire80 subscribed.
Reedy removed a project: Patch-For-Review.Feb 10 2017, 11:47 PM
Reedy moved this task from Awaiting Code Review to In discussion on the ConfirmEdit (CAPTCHA extension) board.
Tgr subscribed.Feb 12 2017, 4:11 AM

This should probably be done by converting successfully solved captchas into success tokens stored in the session, and consuming a success token whenever a captcha is needed (e.g. end of account creation) and not showing the captcha interface if there are any success tokens of the given type available.

Tgr mentioned this in T241921: Fix Wikimedia captchas.Jan 5 2020, 8:12 AM
Bugreporter mentioned this in T269667: Unable to publish changes when user not confirmed and adding an external link and keeping edit summary blank.Dec 8 2020, 4:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits