admin管理员组

文章数量:1332382

The v2 reCaptcha has some dramatic improvements over previous iterations. When first implemented (using PHP verification btw) all it asked from my users was to check a box. Then after a few form submissions, it asked for a user to identify some images, then after a few more form submissions it asks the user to verify multiple image challenges.

Does anyone know of a way to pletely turn off/ disable manual image challenges in the google recaptcha API? i.e. I want them to ONLY check the JS checkbox - like the first few times the form was pleted.

I know it kind of defeats the purpose, but I'm prepared to deal with a little bit of spam if traded for a much better user experience.

I've tried:

  • turning off the js by adding .js?manual_challenge=false (dug up the line from some old API settings)
  • .js?fallback=false (alternative 'true' just forces a non JS version)
  • .js?data-type=none (a shot in the dark based on their display options)

I am assuming google monitors the implementation and changes the UI intelligently. In my instance many requests from the same IP address looks like a bot and therefore requires better verification. However, it is just a single user re-submitting the same form a number of times. What I'd like to do is override this to use the minimum security always.

The v2 reCaptcha has some dramatic improvements over previous iterations. When first implemented (using PHP verification btw) all it asked from my users was to check a box. Then after a few form submissions, it asked for a user to identify some images, then after a few more form submissions it asks the user to verify multiple image challenges.

Does anyone know of a way to pletely turn off/ disable manual image challenges in the google recaptcha API? i.e. I want them to ONLY check the JS checkbox - like the first few times the form was pleted.

I know it kind of defeats the purpose, but I'm prepared to deal with a little bit of spam if traded for a much better user experience.

I've tried:

  • turning off the js by adding https://www.google./recaptcha/api.js?manual_challenge=false (dug up the line from some old API settings)
  • https://www.google./recaptcha/api.js?fallback=false (alternative 'true' just forces a non JS version)
  • https://www.google./recaptcha/api.js?data-type=none (a shot in the dark based on their display options)

I am assuming google monitors the implementation and changes the UI intelligently. In my instance many requests from the same IP address looks like a bot and therefore requires better verification. However, it is just a single user re-submitting the same form a number of times. What I'd like to do is override this to use the minimum security always.

  • javascript
  • php
  • recaptcha
Share asked Oct 5, 2015 at 15:53 contoolcontool 1,0743 gold badges19 silver badges29 bronze badges 2
  • Don't you sthink that if we could go around their willing to verifying it wouuldn't be of much help?... – Julio Soares Commented Oct 5, 2015 at 16:00
  • 1 If it's the same user submitting repeatedly, then why even present the challenge to them after the first time? Check OWASP for proper session handling if sessions are a concern (and in my opinion, sessions are always a concern), then set a flag in their session stating whether or not they should be presented with a challenge. – Ghedipunk Commented Oct 5, 2015 at 16:23
Add a ment  | 

2 Answers 2

Reset to default 5

Google's reCaptcha assumes that each time you're challenging someone, you suspect that they're a bot, so if they have already passed a challenge, the next challenge gets progressively harder.

Thus, only challenge someone when you think they might be a bot, such as the first time they submit the form, or if they're not authenticated to your site. Once Google tells you that the user is safe, trust them unless/until you have reason to suspect that user again.

The PHP $_SESSION superglobal is probably your best bet, but as with all sessions, be certain that you're following best practices (session name fingerprinting, token entropy, session fixation attacks, mixing insecure and TLS sessions, etc.)

The way I would handle it is, when a user first successfully passes a CAPTCHA challenge, do not challenge them again.

The example below is based on the code provided by Google in their example: https://github./google/recaptcha/blob/master/examples/example-captcha.php

<?php
if (empty($_SESSION['isCaptchaVerified'])) {
    $recaptcha = new \ReCaptcha\ReCaptcha($secret);
    $resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
    if ($resp->isSuccess()) {
        // verified!
        $_SESSION['isCaptchaVerified'] = true;
    } else {
        $errors = $resp->getErrorCodes();
    }
}
...
?>
<form action="/" method="post">
    ...
    <?php if (empty($_SESSION['isCaptchaVerified'])) { ?>
        <script type="text/javascript"
            src="https://www.google./recaptcha/api.js?hl=<?php echo $lang; ?>">
        </script>
    <?php } ?>
</form>

This will:

  • Check if the user has passed a challenge before
  • Present the challenge if $_SESSION['isCaptchaVerified'] is not set or falsey
  • Not present any challenge if $_SESSION['isCaptchaVerified'] is truish

(See the PHP manual entry on empty() for what constitutes truish and falsey in this context).

Go to your admin console in google where you set up recaptcha for the site. Click on advanced settings, reduce the security preference to the least. Solved

本文标签: javascriptRemove manual challenge from google reCaptcha v2Stack Overflow

版权声明:本文标题:javascript - Remove manual challenge from google reCaptcha v2 - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742293586a2448276.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。