There is an unsaved comment in progress. You will lose your changes if you continue. Are you sure you want to reopen the work item?
Need to destroy the CAPTCHA after login
If you used firefox browser with (Live HTTP headers) plug-in used to repeat requests with the following procedure:
1- Login with valid captcha , then logoff
2- Back to live http header tool, pick up the request , then try to reply it
it will login successfully again with first old resolved captcha , you are vulnerable
Most CAPTCHAs don’t destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page. Certain CAPTCHA implementations accumulate CAPTCHA solutions
or identifiers in their HTTP session. That is, for each request for a new CAPTCHA, the previous value is retained and a new CAPTCHA solution or identifier is also added to the HTTP session. An attacker can exploit this scenario by manually solving one CAPTCHA
for an HTTP session and then reusing that solution or identifier and the SESSIONID value to make a large number of successful submissions
Solution: Destroy the session when the first correct captcha entered
Any suggestion ?