This TYPO3 extension provides a Challenge/response spam shield for TYPO3 ext:form to prevent automated form submissions.
Challenge/response spam shield adds a hidden input field to every form generated by the TYPO3 form extension. The input field has a precalculated value with a challenge. The included JavaScript will use the challenge to calculate an expected response which will be checked on every form submission. If the expected response is not submitted, validation for the hidden input field is considered as failed and no email will be sent.
In order to make automatic form submissions harder for spambots with active JavaScript, a configurable delay for the JavaScript response calculation can be defined in the extension settings (default value: 3 seconds).
Yes, the challenge/response spam shield can be bypassed, if the algorithm used by the extension is implemented to a spambot. This is however unlikely, since the spambot either has to use JavaScript (which I believe most spambots do not) or has to extract the challenge from the parsed HTML and must calculate and submit the response correctly.
The extension uses JavaScript to calculate the expected response, so if JavaScript is disabled on client side, form submission will not be possible.
A modern webbrowser is required to run the JavaScript. Internet Explorer < 11 is not supported.
Just install the extension on your TYPO3 website using composer or the TYPO3 extension manager. No further configuration is required.
The extension has the following extension settings, which can be adjusted if required. The default values should however be fine for most websites.
Defines the delay in seconds for the JavaScript response calculation. The default value is 3 seconds.
If the calculated page cache lifetime if very low (e.g. 60 seconds), it may not be possible to fill out a
form before the expiration time for the CR response is reached. This setting defines the minimum amount of
second, the calculated page cache lifetime must have. Default value is 900 seconds.
Defines the amount of seconds, which is added to the calculated page cache lifetime, if the calculated page cache
lifetime is below the defined value in minimumPageExpirationTime.
Defines the obfuscation method used for the challenge/response calculation. Possible values are:
1- ROT13 (default value)2- Reverse String
To log failed requests, it is possible to use a dedicated logfile like shown below:
$GLOBALS['TYPO3_CONF_VARS']['LOG']['Derhansen']['FormCrshield']['writerConfiguration'] = [
\TYPO3\CMS\Core\Log\LogLevel::DEBUG => [
\TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
'logFile' => \TYPO3\CMS\Core\Core\Environment::getVarPath() . '/log/form-crshield.log',
]
]
];
The extension provides the service ChallengeResponseService which can be used to retrieve and validate
the challenge and the expected response. 3rd party extensions can use this service and the included JavaScript
snippet to implement the challenge/response protection in their own forms (e.g. Extbase forms).
| Version | TYPO3 | PHP | Support/Development |
|---|---|---|---|
| 3.x | 13.x | 8.2 - 8.4 | Features, Bugfixes, Security Updates |
| 2.x | 13.x | 8.2 - 8.4 | Features, Bugfixes, Security Updates |
| 1.x | 10.4 - 12.4 | 7.2 - 8.4 | Features, Bugfixes, Security Updates |
The following extensions use the challenge/response algorithm:
- Thanks to 3m5. Media GmbH for supporting my open source work on this extension