I added a new field to my panels log-in form; a captcha (to prevent brute force attacks - which will be included in Kirby 2.2 soon).
It works perfectly and you can download the plug-in at GitHub.
But you have to manually alter the /panel/index.php by hand and add this line to the top of the file;
$captcha_file = 'captcha/cgi/check.php';if(file_exists($captcha_file)){include_once($captcha_file);}
Is there any way to hook the log-in forms functionality without modifying the core?
Great idea for a plugin!
Unfortunately, you currently can’t modify the login form of the Panel without modifying some Panel code. But I think your solution is quite good. I have not looked through all the code, but the installation process is alright.
Thanks, it works fine - I just stitched some existing scripts together and placed them “before” the real form.
So first, you have to enter a captcha… when the captcha is okay, a session-cookie is written to your local device.
When both the session_id() and session_cookie are the same, you can enter the default form - when those do not match, you have to enter the captcha again…
It’s very simple and maybe not 100% safe - but a bot can’t enter captchas or writing fake cookies that easy, so it’s an extra layer of protection.
It can’t make the Panel more insecure, so adding this extra level is a viable solution. 
One idea to improve it: You could use a session variable instead of a cookie. A session variable is stored on the server and can’t be modified by the client.
A session variable is stored on the server and can’t be modified by the client.
I did… sort of…
The scripts sets a cookie on the clients machine (which contains the session_id) and the same cookie is saved on the server.
When the local cookie and remote / server cookie doesn’t match - you can not login using the default form.
This will give issues when editing the same document by several editors, but for the moment I can live with that (maybe I have to save an IP-address or hardware blueprint to make them unique, I will think about it).
You can use $_SESSION instead of $_COOKIE, which works basically in the same way but is handled by PHP on the server-side. Only difference: You need to call session_start() before setting a session variable.
Thanks, the captcha already uses a $_SESSION variable - and the plug-in matches that one against the local cookie.
I will fine-tune the captcha the coming days, 'though…
For the moment, I made the captcha stronger (8 characters, in stead of 5) and I made the form more human friendly (and less robot friendly - by drawing a little 'bot, sorry - Android 
).
You are using a custom file stored in captcha/check/.session_id, don’t you? You don’t need to do that. PHP sets a session cookie automatically.
Yes sir, I do 
But the reason I did this, is because Kirby is destroying “my” session (which I had to initialize before creating the captcha).
So I decided to…
I do not want to alter Kirbies core - so my session is temporarily (only meant for the captcha) and than it’s all over to Kirby.
Maybe there are better ways to realize this (please, do fork me !), but I encountered problems with Kirbies session-control… and I did wrote this script as a fiddle… took me about 30 minutes (drawing the 'bot took me even longer) 
Since Kirby 2.2 will protect against brute-force attacks, the plugin is rather a temporary solution. And for that it’s fine.
I know - that’s why my second name is “cavalier”…
For I’m always behind the troops.
