Avatar

Problems during registration (Technics)

by Auge ⌂ @, Tuesday, May 08, 2018, 18:05 (72 days ago)

Hello

During the work on the inclusion of a data privacy statement I encountered a serious problem with the registration form – not for the first time (see the third paragraph). My browser, that is allowed to store form input for a later re-use, put data into one of the honeypot fields. That led to the impossibility to register a new user because of the check for the emptyness of the honeypot fields, that must fail now.

Even the attempt to use the attribute autocomplete="off" in several input fields failed. I don't know, if the reason is the assumption of the browser, that the form is a login form (most browsers ignore the attribute in login forms) or if it is due to the fact, that the default template is written in XHTML1 and the attribute does not exist in XHTML.

We discussed this before in the Github-issue #324. At that time I made the exactly same observations but found no reason for it and came to the same conclusions without knowing the reason that caused the problem. This time I had to remove the stored form data from the browser at the end to be able to register a new user.

Even I found the reason and a work around, most other people who will hit this trap, will get lost. We need a solution without blaming the users for their browser configuration. I will test the effect of autocomplete="off" in my HTML5-using-theme because it's my only idea to solve this. I hope that it works. If so, we should change also the default theme to HTML5 to be able to use this and also further new features.

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Problems during registration

by Milo ⌂, Wednesday, May 09, 2018, 07:02 (72 days ago) @ Auge

Hi,

This time I had to remove the stored form data from the browser at the end to be able to register a new user.

I believe, the name of the form element , i.e. the text field name phone, is the problem. It seems to be a real honeypot on your local system. ;-)

autocomplete="off" in my HTML5-using-theme because it's my only idea to solve this. I hope that it works.

I don't think so. Maybe, it works for some browsers but it is not a comprehensive solution.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Avatar

Problems during registration

by Auge ⌂ @, Wednesday, May 09, 2018, 08:18 (72 days ago) @ Milo

Hello

This time I had to remove the stored form data from the browser at the end to be able to register a new user.


I believe, the name of the form element , i.e. the text field name phone, is the problem.

The field "phone" is left empty but "repeat_email" gets my nick name (!) as it's value. That's in itself is weird enough. The obvious problem is the non-emptyness of the field that causes the error message about a missing information.

It seems to be a real honeypot on your local system. ;-)

Which of my local systems? My laptop with Firefox on Linux? My workstation at work with Firefox on Windows 10 (both are affected)? The only untested computer is the one at home … oh and I haven't tested it on my phone. :-)

autocomplete="off" in my HTML5-using-theme because it's my only idea to solve this. I hope that it works.

I don't think so. Maybe, it works for some browsers but it is not a comprehensive solution.

What else is a proper solution?

- A user should use another browser for the registration? No way, noone ever will switch to another browser for a forum registration. And last but not least: What's with the honeypot fields in the posting form? A visitor expects a site to work or she/he will leave the site.
- A user should change the browser settings for storing form content? Even the browser makes this possible without digging in i.e. about:config or chrome://about, the user will hate the forum operator or programmers afterwards because of loss of prefill values for forms and login informations. I do, because I had to create a new password after the action (I have several passwords for several services in my head but not this one (*grml*)). Beside that, I found the setting and menu points to remove stored informations and to switch off the collection of form and search data but even with deactivated collection the present data will be in use until their deletion. One has to know this pitfall.

In short: I expect to be not the only one who activated this setting. So i expect further forum visitors to hit the trap. Most of them will not be able to avoid the trap and to solve the issue in their browser settings. As I said, I have no furter idea. :-(

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Problems during registration

by Milo ⌂, Wednesday, May 09, 2018, 08:34 (71 days ago) @ Auge

Hi,

Which of my local systems?

If you use the same profile, it is redundant and not independent. I checked the behaviour on Opera, Firefox and IE without any problems.

What else is a proper solution?

As I said: renameing the form elements

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Avatar

Problems during registration

by Auge ⌂ @, Wednesday, May 09, 2018, 09:48 (71 days ago) @ Milo

Hello

Which of my local systems?


If you use the same profile, it is redundant and not independent. I checked the behaviour on Opera, Firefox and IE without any problems.

Was only a rhetoric question. :-)

My local PC (untested) has the same profile as the Firefox on the laptop (tested and affected) but all other browsers on all other devices (i.e. on my workstation, tested and affected) have their own, independent profiles. But they might have similar settings with different stored data.

What else is a proper solution?


As I said: renameing the form elements

Do you have ideas for reasonable but (probably) non-hazardous names?

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Problems during registration

by Milo ⌂, Wednesday, May 09, 2018, 10:00 (71 days ago) @ Auge

Hi,

Do you have ideas for reasonable but (probably) non-hazardous names?

No, but maybe we should rename ALL text fields in cryptic names. This should avoid your problem and spam (because no field has an adequate name).

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Avatar

Problems during registration

by Auge ⌂ @, Wednesday, May 09, 2018, 11:31 (71 days ago) @ Milo

Hello

Do you have ideas for reasonable but (probably) non-hazardous names?


No, but maybe we should rename ALL text fields in cryptic names. This should avoid your problem and spam (because no field has an adequate name).

Sounds reasonable. Let's put this to the list for version 2.5. The list of GDPR-related changes for 2.4.10 is long enough.

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

RSS Feed of thread
powered by my little forum