[Invalid] Bug in BotCheck Page (in General)

I just got a botcheck which I typed incorrectly. The next botcheck page loaded very quickly and I still had my enter key pressed and it allowed me to submit a blank botcheck submission. It locked me out now. I did not type anything or have the box prefilled, and I know it allowed a blank submission.

Please unblock me (one of the admins) and fix the bug Jonathan.

Thanks.

Strange because in both FireFox and Internet Explorer I get a message when not having typed in anything in my bot check...

I don't really think the bug will be deactivated just for me somehow...

Just for info purposes. I'm on FF right now and I got a bot check (can't believe how long I had to wait for one to be honest!)
It would not let me enter a blank field, either with the enter button or by clicking "go". I got the "please enter a three- or four- bla bla".
I failed it on purpose and tried to hit enter quickly after failing and it still would not let me enter a blank field.

I had the exact same thing happen to me a few days ago, I swear the second check (I clearly mis-typed my first guess) let me through empty.

Bart researched and said I typed "kain" twice. The first check was supposed to be "lain" and I clearly missed that one. The second check did in fact change, and there is no way I would have typed "kain" again for a completely different word. Browsing back through my pages showed an empty text box on the second check, and "kain" still in the first check.

I don't know how it happens, but I am convinced it does. The server sees the previously typed word on the second check. A full admin can check the words and see if that is the case. In fact, an admin could check all the botchecks and see how many of them have the same word twice. If this is happening any appreciable amount, it should be investigated. It would make no sense for people to be typing the same word twice when the botcheck image changes.

FYI, here is the previous link I am referring to:

Link.

I just tested and *WAS* able to reproduce this bug. A full admin can check my botcheck answers and see if it appeared to take the answer twice.

If you hit enter before you give the Javascript on the page any chance to load and start, then of course your browser does what you ask it to do: submit the page. I don't think there's much to do about this (at the server's end, that is).

happened to me before, i think FF3 is just too fast :P

There's no way to control that synchronicity?

First, no single page should ever be able to result in two fails. Only one fail per page, I am figuring that is probably working OK (if I am understanding what you are saying, bart...).

Next, if you are saying my "kain" submitted twice, once on the first page and once on the second, then simply check for the same word twice. What are the odds a mistaken word would honestly be the same thing twice? Even a computer trying to guess the second word would type something different (and actually fail).

I apologize for my lack of web programming skills, but I'm pretty sure if I tried to pull, "Well, the user pressed enter too fast, so we missed that bankruptcy on a debtor we were trying to sue... Now there's a lawsuit against us... Oh well, they pressed it too fast, what can you expect?" ... I'd get fired pretty quick. *smile* There has to be a way to know the order of things and keep them atomic, otherwise no banks on the planet would be trusted for web transactions...

bartjan: it is simple, check for a blank on the server side, and don't allow a submission if a blank was submitted

The problem here is that it's not a blank submission... You submitted 'gust' twice.

Then there is a problem with caching, because I did not type _anything_ in the second botcheck. In fact, I went back in my browser and verified I didn't type anything. I believe I retried 'maim' as the second botcheck and it didn't allow it.

Also, it is also easy for Jonathan make the page disabled until the DOM has loaded fully.

Then disregard any second guess that is the same as a previous one. There must be a way to check the previous guess, since you are doing it. *smile*

Relic, I am not sure such timings are "easy". From the limited amount of web page manipulation I have built (just simple "ghost in the machine" stuff for sites without web services), knowing when a page is done and when all actions are at a known state is not at all easy. I don't asynchronous behavior is ever, at least it is very good at making my limited brain hurt. *smile*

The checks need to be things that can all be done server-side, so I think checking a previous guess would be the simplest, if inelegant, solution. There are a lot of bot checks going on, so having another database hit at that time might be kind of a pain or drain, not sure.

Perhaps if it wasn't brought up in a public forum.


However, Jon can't simply have it check to see if the same word is used twice and let that through - that's wide open for bots.

How so, OB? You check for two in a row, and if second word is same, you give one more chance, still on that second botcheck image. Three in a row means out. That fixes the problem and is nothing a bot can exploit. Why would a bot put in the same word twice after the image had changed? That's a pretty bad bot algorithm. *smile*

Note: I am NOT saying that same word twice means a SUCCESSFUL check. It just means a "no guess" scenario like two characters or an empty guess would be.

I don't see anything wrong with that...

i would guess that this is the same issue with making purchases online and actually submitting your order twice.

i know that many web sites with shopping carts warn against this, with that in mind, i would doubt there is an easy solution or the retailers would have implemented it.

Well, a simple solution would be to have the second bot-check field have a different name than the first one. That way, even if you submit "bot_typing1" twice, the client-side and server-side checks will fail to find a value for "second_bot_check_value" and will call it blank.
YMMV and Jon might think of a better way.

You submitted the first page twice. When you went to submit the answer for the second bot check (might have been blank, could have been anything), it wasn't logged because you were already locked out because you double clutched on the first bot check.