Skip to main content
WolfShade
WolfShade
Legend
July 31, 2019
Answered

Issues with custom-built CAPTCHA

  • July 31, 2019
  • 2 replies
  • 2923 views

Hello, all,

We recently had our CAPTCHA bypassed (not surprising, as I kind of had to do a hack-ish job with it due to some security restrictions) and I custom-built a new one.

Apparently, our production environment is not 100% identical to our dev or staging environments, as it works well in those.

I just received an email from the customer stating that 1) the CAPTCHA is not matching in FireFox (possibly due to a constantly changing JSESSIONID), and 2) IE11 will not display the image, at all.  I checked for #2, and in production IE11 does, indeed, _not_ display the image.

On the code level, the image is being created like the following:

<img style="width: 200px; height: 85px;" src="data:image/*;base64,{and a long string of blob data}" />

Any suggestions?  I am at the end of my rope on this one.

V/r,

^ _ ^

    This topic has been closed for replies.
    Correct answer EddieLotter

    Okay, so I've done some research on this, and according to a Raymond Camden blog post what I am trying to do will only work if the image being served was from an existing image file because it will have a file extension indicating what kind of image file it is (.gif, .jpg, .png, etc.)  Since CF imageCreateCaptcha() is being used, there is apparently no default image type, so there's no file extension.

    Okay, that makes sense, but still you'd think that CFCONTENT could detect the type and use that.  Right?  Guess not.

    I tried following Raymond's example to print a blank space on the image, so as not to interfere with the CAPTCHA letters/numbers/symbols, but it isn't working.  The last error message I got was: "Verify your inputs. The source file should contain an extension,so that ColdFusion can determine the image format. "

    I'm using CFHEADER to name the file 'captchaimage.png' (also tried .gif and .jpg) but I guess that isn't good enough.

    Any other thoughts?

    V/r,

    ^ _ ^


    In your cfcontent tag, the "type" parameter must be a MIME type. Try "image/jpeg" or "image/png" and see what works.

    2 replies

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    July 31, 2019

    Are you saying you MUST stay with that custom-built captcha? Or are your asking for recommendations of ones that have worked?

    /Charlie (troubleshooter, carehart. org)
    WolfShade
    WolfShadeAuthor
    Legend
    July 31, 2019

    I _have_ to stay with my custom-built CAPTCHA, or build another one, because we are proscribed from using third-party turnkey solutions.  Rare exceptions are allowed, such as jQuery and Bootstrap (neither of which is CDN, must be local).  But we cannot use anything like Google's reCAPTCHA, or any other company's CAPTCHA product.

    We cannot use CFIMAGE to create the CAPTCHA because something in our settings/configuration/security is preventing CFIMAGE from being used (I think that access to the CFFileServlet folder is being denied, but don't know for sure.)

    V/r,

    ^ _ ^

    EddieLotter
    EddieLotter
    Inspiring
    August 5, 2019

    fileReadBinary()!!!!  That's what I was missing.  What a rookie mistake.  (facepalm)

    Sadly, I have given up on the funcimg.cfml include idea.  I will, however, be keeping it for future projects.  Thank you for the insight.

    V/r,

    ^ _ ^


    You're welcome.

    I wish there was a better way to get the binary representation of the image for writing the bits to the user agent.

    The imageGetBlob() function looked promising, but I couldn't get it to work. Perhaps an imageGetBinary(format) would be a good feature request? The format parameter would tell ColdFusion what image format to convert its internal image format to.

    EddieLotter
    EddieLotter
    Inspiring
    July 31, 2019

    Navigate to the page that should display the image.

    Press F12 to open Developer Tools.

    Click the "Network" tab.

    Refresh the Web page.

    In the "Result/Description" column of the "Network" tab, do you see any error result codes?

    WolfShade
    WolfShadeAuthor
    Legend
    July 31, 2019

    The _only_ thing that doesn't come back as 200 is favicon.ico.  Everything else is 200.

    V/r,

    ^ _ ^

    UPDATE:  favicon.ico has been fixed.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices