-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ReCaptchaSettings.DetectionThreshold is not counted correctly for log in #17200
Comments
I don't actually know why this worked differently before, since the logic is quite simple and implemented here, what didn't change: Line 38 in 1c890da
So, the algorithm is that You get 7 instead of 6 because I only elaborated this in 10 times the characters the actual code is long, to show that for me it's really not clear how else this should be implemented, while agreeing that the configuration value of Changing that |
I agree that changing But I'm still not sure why in 2.1.2 I'm getting 7 instead of 6. |
I think I know why it increased from 6 to 7 in 2.1.2. It has to do with the refactoring to make the login form driver-based. On the POST the form shape is built on line 108. This will validate the ReCaptcha and increment the counter if it fails. OrchardCore/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AccountController.cs Line 108 in 4ab7c34
But if something about the POST fails (e.g. ReCaptcha validation fails) then the form shape is simply redisplayed as is with So to summarize I think there are two separate but related bugs.
|
@MikeAlhayek opinion on #2? |
The model state is probably going to be lost if the form is rebuilt, so the entered username / email address will be lost. That's probably why it is the way it is now. |
Self NotesFirst observation, the Second, it would be better for RecommendationOn issue 1, I agree that the condition should be On issue 2, I think the |
I don't quite agree, a local cache is still valid. It's just that every node has the cache. Not all caches need to be reused/shared. In this case it might be better to not issue a network call (when actually running distributed). There is no general truth in this case, it depends on the cost of the cached item. |
@sebastienros the problem here has nothing to so with distribution. This issue happens one a single node. In regard to the |
@rjpowers10 we are now considering removing this threshold detection logic completely. The idea being that login already has a feature to limit the number of attempts, and rate limiting is an existing middleware that could also be used here (and anywhere else). The amount of changes and the fact we also need to maintain a shared cached to count (not thinking about eviction time) is too important for what we think is the actual usage: you are the first one to find it doesn't work even though this feature is not new. |
We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues). This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here. |
This is true but I'm unsure what this means for the ReCaptcha feature. I know .NET has a built in feature to lock an account after a number of failed attempts, but that feels like a separate topic from ReCaptcha. Or are you thinking that ReCaptcha just becomes an on/off feature? No counter, the ReCatpcha is just shown every time (if enabled). |
exactly the idea. |
So you're only talking about removing the IP-based counter. Going forward, you can use ReCaptcha, or you can use the .NET lockout, or you can use both. ReCaptcha is either on or off with no detection features. I'm starting to see why I'm confused. The IP-counter was only intended for logging in.
Which makes sense now that I think about it more. Counting registration failures is kind of a weird concept to begin with. Okay, removing the counter sounds good to me. I see where you're going with this. |
@Piedone are you also okay with removing the threshold and the counter from reCaptcha altogether? |
Are you thinking this would be a 2.1.x release? It's a breaking change...but there are also issues with it already. |
no. That would be a breaking change. 3.0 |
EDIT: My mistake |
doesn't the reCaptcha always show now? |
Oh I see, the ReCaptcha tag helper has an "always show" mode that registration is using. Yes, you are correct. 2.1.2 registration is working. My mistake. |
Yep, good points. |
Describe the bug
My value of ReCaptchaSettings.DetectionThreshold is 5. I expect this to mean I can fail logging in 5 times and then on the 6th attempt I see the ReCaptcha.
In OC 2.1.2 it seems like the number of failed attempts went up by 1, but it seems like it was off in 1.8.2 as well. If the 1.8.2 behavior is correct then that's fine with me. But it does seem like it unintentionally changed in 2.1.2, which is my bigger concern.
Orchard Core version
I noticed this in the process of updating from OC 1.8.2 to 2.1.2.
To Reproduce
OrchardCore.ReCaptcha.Users
feature.Expected behavior
The default setting of ReCaptchaSettings.DetectionThreshold is 5 and I'm using the default value.
In OC 1.8.2 I fail the log in process 5 times in a row. I would expect to see the ReCaptcha here, but I actually need to fail a 6th time for it to appear.
In this gif I click the "log in" button 5 times and fail, but it isn't until I click "log in" a 6th time that the ReCaptcha is displayed.
In OC 2.1.2 it is similar, except I have to fail 7 times even though my threshold is still set to 5.
The text was updated successfully, but these errors were encountered: