Basic Captcha problem

I found basic Captcha is not working sometimes (see attached image). The problem can be duplicated at Account Register page (account/register) and Checkout page (checkout/checkout)

Also, refreshing the page with basic captcha or jump to another page and back to basic captcha MAY help to solve the problem for sometimes but not 100%.

Tested browser:

Firefox 71.0
Google Chrome 80.0

Tested version (fresh installation):

3.0.3.7
3.0.3.6
3.0.3.1

And I found such issue was reported at below URLs, but the problem is not really fixed.

viewtopic.php?f=201&t=210895&p=761115&h ... ha#p761115
viewtopic.php?f=201&t=218793&p=792459&h ... ha#p792459

In addition, in order to locate the problem, I have updated the file as below

catalog/controller/extension/captcha/basic.php
# line 21
return $this->language->get('error_captcha');
# changed to
return $this->language->get('error_captcha') . ' - session: ' . json_encode($this->session->data);


I also recorded a video so that everyone can see the problem easily
https://www.youtube.com/watch?v=yBlFnuHXkMY

You can see that the first time $this->session->data['captcha'] is empty, after visit contact us page to load the captcha, $this->session->data['captcha'] is correct for contact us page. But in checkout page $this->session->data['captcha'] is always wrong .

After more testing, I think I have found the problem.

1. edit system/library/session.php (line 81) as below:

public function close() {
# debug
$file = fopen("/var/www/vhosts/test.com/debug.log","a");
fwrite($file, $this->session_id . ' - ' . json_encode($this->data) . "\r\n");
fclose($file);
$this->adaptor->write($this->session_id, $this->data);
}

2. go to check out page, check inspect element in the browser (Ctrl-Shift-C for Firefox) > Network tab > click "Continue" on the checkout page > you will see accessing below 4 URLs by AJAX:

index.php?route=checkout/guest
index.php?route=extension/captcha/basic/captcha
index.php?route=checkout/checkout/customfield&customer_group_id=1
index.php?route=checkout/checkout/country&country_id=222


3. check the debug.log, there are 4 lines like below, note that "0f584c" is the old catpcha value, this means that the captcha value is updated to the database 4 times in this order: 0f584c > 9ea9d6 > 0f584c > 0f584c , you can see the captcha value was updated to the "0f584c" finally, that's why sometimes the captcha works and sometimes it doesn't.

2333aeefdabfa7a76a1b78a7c9 - {"language":"en-gb","currency":"USD","captcha":"0f584c"}
2333aeefdabfa7a76a1b78a7c9 - {"language":"en-gb","currency":"USD","captcha":"9ea9d6"}
2333aeefdabfa7a76a1b78a7c9 - {"language":"en-gb","currency":"USD","captcha":"0f584c"}
2333aeefdabfa7a76a1b78a7c9 - {"language":"en-gb","currency":"USD","captcha":"0f584c"}

Hope OpenCart developer or someone can solve it.

I would suggest to create a new issue on the Github Repository, since you are also explaining this theory for OC v3.0.3.7 release.

Thanks for your suggestion.

I have already created it at Github, here is the URL for your reference [https://github.com/opencart/opencart/issues/9630].

This is due to lack of locking in the session handlers to prevent concurrent writes. It's been reported here. https://github.com/opencart/opencart/issues/7968

OpenCart 2.x and 1.5.x are not affected as they use native PHP sessions which lock the session data, as explained here.
https://www.php.net/manual/en/function. ... -close.php