Remove manual challenge from google reCaptcha v2
Question
The v2 reCaptcha has some dramatic improvements over previous iterations. When first implemented (using PHP verification btw) all it asked from my users was to check a box. Then after a few form submissions, it asked for a user to identify some images, then after a few more form submissions it asks the user to verify multiple image challenges.
Does anyone know of a way to completely turn off/ disable manual image challenges in the google recaptcha API? ie I want them to ONLY check the JS checkbox - like the first few times the form was completed.
I know it kind of defeats the purpose, but I'm prepared to deal with a little bit of spam if traded for a much better user experience.
I've tried:
- turning off the js by adding https://www.google.com/recaptcha/api.js?manual_challenge=false (dug up the line from some old API settings)
- https://www.google.com/recaptcha/api.js?fallback=false (alternative 'true' just forces a non JS version)
- https://www.google.com/recaptcha/api.js?data-type=none (a shot in the dark based on their display options )
I am assuming google monitors the implementation and changes the UI intelligently. In my instance many requests from the same IP address looks like a bot and therefore requires better verification. However, it is just a single user re-submitting the same form a number of times. What I'd like to do is override this to use the minimum security always.
2 answers
solution1
5 2015-10-05 17:43:54
Google's reCaptcha assumes that each time you're challenging someone, you suspect that they're a bot, so if they have already passed a challenge, the next challenge gets progressively harder.
Thus, only challenge someone when you think they might be a bot, such as the first time they submit the form, or if they're not authenticated to your site. Once Google tells you that the user is safe, trust them unless/until you have reason to suspect that user again.
The PHP $_SESSION superglobal is probably your best bet, but as with all sessions, be certain that you're following best practices (session name fingerprinting, token entropy, session fixation attacks, mixing insecure and TLS sessions, etc.)
The way I would handle it is, when a user first successfully passes a CAPTCHA challenge, do not challenge them again.
The example below is based on the code provided by Google in their example: https://github.com/google/recaptcha/blob/master/examples/example-captcha.php
<?php
if (empty($_SESSION['isCaptchaVerified'])) {
$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
if ($resp->isSuccess()) {
// verified!
$_SESSION['isCaptchaVerified'] = true;
} else {
$errors = $resp->getErrorCodes();
}
}
...
?>
<form action="/" method="post">
...
<?php if (empty($_SESSION['isCaptchaVerified'])) { ?>
<script type="text/javascript"
src="https://www.google.com/recaptcha/api.js?hl=<?php echo $lang; ?>">
</script>
<?php } ?>
</form>
This will:
- Check if the user has passed a challenge before
- Present the challenge if
$_SESSION['isCaptchaVerified']is not set or falsey - Not present any challenge if
$_SESSION['isCaptchaVerified']is truish
(See the PHP manual entry on empty() for what constitutes truish and falsey in this context).
solution2
0 2017-01-21 02:03:03
Go to your admin console in google where you set up recaptcha for the site. Click on advanced settings, reduce the security preference to the least. Solved
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.