Gentle way to hook a CAPTCHA in the log-in form

I added a new field to my panels log-in form; a captcha (to prevent brute force attacks - which will be included in Kirby 2.2 soon).

It works perfectly and you can download the plug-in at GitHub.

But you have to manually alter the /panel/index.php by hand and add this line to the top of the file;

$captcha_file = 'captcha/cgi/check.php';if(file_exists($captcha_file)){include_once($captcha_file);}

Is there any way to hook the log-in forms functionality without modifying the core?

1 Like

Great idea for a plugin!

Unfortunately, you currently can’t modify the login form of the Panel without modifying some Panel code. But I think your solution is quite good. I have not looked through all the code, but the installation process is alright.

Thanks, it works fine - I just stitched some existing scripts together and placed them “before” the real form.

So first, you have to enter a captcha… when the captcha is okay, a session-cookie is written to your local device.

When both the session_id() and session_cookie are the same, you can enter the default form - when those do not match, you have to enter the captcha again…

It’s very simple and maybe not 100% safe - but a bot can’t enter captchas or writing fake cookies that easy, so it’s an extra layer of protection.

It can’t make the Panel more insecure, so adding this extra level is a viable solution. :wink:

One idea to improve it: You could use a session variable instead of a cookie. A session variable is stored on the server and can’t be modified by the client.

A session variable is stored on the server and can’t be modified by the client.

I did… sort of…

The scripts sets a cookie on the clients machine (which contains the session_id) and the same cookie is saved on the server.

When the local cookie and remote / server cookie doesn’t match - you can not login using the default form.

This will give issues when editing the same document by several editors, but for the moment I can live with that (maybe I have to save an IP-address or hardware blueprint to make them unique, I will think about it).

You can use $_SESSION instead of $_COOKIE, which works basically in the same way but is handled by PHP on the server-side. Only difference: You need to call session_start() before setting a session variable.

Thanks, the captcha already uses a $_SESSION variable - and the plug-in matches that one against the local cookie.

I will fine-tune the captcha the coming days, 'though…

For the moment, I made the captcha stronger (8 characters, in stead of 5) and I made the form more human friendly (and less robot friendly - by drawing a little 'bot, sorry - Android :slight_smile: ).

You are using a custom file stored in captcha/check/.session_id, don’t you? You don’t need to do that. PHP sets a session cookie automatically.

Yes sir, I do :smile:

But the reason I did this, is because Kirby is destroying “my” session (which I had to initialize before creating the captcha).

So I decided to…

  • Start a session.
  • Save the data.
  • Destroy my session.
  • Hand it all over to Kirby (when my session allows it).

I do not want to alter Kirbies core - so my session is temporarily (only meant for the captcha) and than it’s all over to Kirby.

Maybe there are better ways to realize this (please, do fork me !), but I encountered problems with Kirbies session-control… and I did wrote this script as a fiddle… took me about 30 minutes (drawing the 'bot took me even longer) :stuck_out_tongue:

Since Kirby 2.2 will protect against brute-force attacks, the plugin is rather a temporary solution. And for that it’s fine. :smile:

I know - that’s why my second name is “cavalier”…

For I’m always behind the troops.