Integrating PHP CAPTCHA into Self Service Password

5 October 2016 Sorin Cocorada Uncategorized

Self Service Password is an open-source free PHP application that allows users to change their password in an LDAP directory. To determine whether the user is human and to prevent brute forcing Self Service Password provides easy integration with Google reCaptcha. Such a solution may not be appropriate for some installations because it requires an Internet connection between the server hosting Self Service Password and Google and also between the client browser and Google. Moreover the validation process is transfered outside the organization boundaries making possible for Google to track every site access.

Secureimage is an open-source free PHP CAPTCHA script for generating complex images and CAPTCHA codes to protect forms from abuse and brute forcing. It can be added with minimal effort into existing forms on the website to determine whether the user is human. Secureimage does everything from generating the CAPTCHA images to validating the typed code.

Assuming a working Sefl Service Password installation and a webroot /var/www/self-service-password
cd /var/www/self-service-password

wget https://www.phpcaptcha.org/latest.tar.gz

tar -zxvf latest.tar.gz

rm latest.tar.gz

ls

conf index.php lang lib pages securimage style

Having the secureimage folder in place the next step is to add the code to display the captca image inside the form. Edit pages/change.php and add the following at line 249 just below the Google reCaptca code and above the submit input

<tr><td colspan=2>
<img id="captcha" src="securimage/securimage_show.php" alt="CAPTCHA Image" />
</td></tr>

Next, add the following HTML code to create a text input box:

<tr><td colspan=2>
<input type="text" name="captcha_code" size="10" maxlength="6" /> <a href="#" onclick="document.getElementById('captcha').src = 'securimage/securimage_show.php?' + Math.random(); return false">[ Different Image ]</a>
</td></tr>

Up to now you are able to display the Captcha image, to refresh it and to enter the code but no validation will be done. Next we will move onto modifying the PHP code that validates the CAPTCHA code typed in by the user.

First add

require_once("securimage/securimage.php");

to index.php line 31, just above the language section.

Then add

#Check php secureimage
$securimage = new Securimage();

if ( $result === "" ){
if ($securimage->check($_POST['captcha_code']) == false) {
  // the code was incorrect
         $result = "badcaptcha";
         error_log("Bad reCAPTCHA attempt with user $login");
         }
}

to pages/change.php inside the #Check reCAPTCA section at the end of the existing if block.
The call to the check method verifies the generated CAPTCHA code against the code entered by the user. If the code was incorrect, an error message is printed using the Self Service Password functions.

Similarly, it is possible to modify the other existing Self Service Password pages to benefit from the self hosted CAPTCHA verification module.

More info about customizing Secureimage can be found at https://www.phpcaptcha.org/

Based on:

Secureimage v3.6.4

Self Service Password v0.9

captcha, php, self service password