Verifying reCAptcha tokens

  • Resolved Chuckie

    (@ajtruckle)


    1 year, 9 months ago

    View post on imgur.com

    I noticed this waning in the reCAPTCHA Admin console this morning and wondered if you could shed any light on it.

    Yesterday I did activate the v3 reCAPTCHA for my reviews. And the rest of the site uses v3 via CATCHPA 4WP (Premium).

    The warning refers to:

    Verifying the user’s response  |  reCAPTCHA  |  Google Developers

    What confuses me slightly though is that in my admin console it is only that latter plugin that is being listed as providing responses. Should I be excluding my user reviews web page in that plugin?

    Not sure how to proceed.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Gemini Labs

    (@geminilabs)

    This looks like it might be a C4WP issue.

    C4WP executes the captcha to generate the token on page load.

    Site Reviews executes the captcha to generate the token when the review form is submitted.

    Also, the C4WP script that generates the reCAPTCHA token on page load does not perform any verification to determine if the input[name="g-recaptcha-response"] is created by itself or another plugin. This means that even if another plugin is executing reCAPTCHA on an action (instead of on page load), C4WP will still generate a token for it which is never used.

    Finally, all reCAPTCHA v3 requests that are made by Site Reviews contain the submit_review action. You can see these on your reCAPTCHA admin dashboard.

    Thread Starter Chuckie

    (@ajtruckle)

    Thanks. I have passed your feedback on to them here. I await their reply.

    At the moment only advanced_nocaptcha_recaptcha shows in the admin console.

    Thread Starter Chuckie

    (@ajtruckle)

    As a minimum, I have excluded the user reviews page from C4WP.

    I then did a test and initially it was flagged as spam. So, I input a proper review and it went through. I am assuming that tomorrow I will see submit_review in my admin console.

    Is there any way for you to confirm that catchpa now looks “ok” from your perspective on my page?

    I will continue to reach out to the other authors about how they are actually creating tokens etc.

    Plugin Author Gemini Labs

    (@geminilabs)

    I still see the inline C4WP script on your /user-reviews/ page which is executing recaptcha to generate a token on page load.

    And here you can see that two reCAPTCHA widgets have been rendered on the page (the first one by C4WP on page load, the second by Site Reviews when the form is loaded):

    The “Top 10 actions” chart shows the top 10 actions by overall traffic for your site. So it is unlikely that you will see the submit_review action there since the advanced_nocaptcha_recaptcha action is being sent on every page load by C4WP.

    • This reply was modified 1 year, 9 months ago by Gemini Labs.
    Thread Starter Chuckie

    (@ajtruckle)

    I think is is because they have an option to load the catchpa on every page or just form pages. Oh well! We wait and see.

    I have just purged the performance cache just incase that is why.

    Have a good evening.

    • This reply was modified 1 year, 9 months ago by Chuckie.
    Thread Starter Chuckie

    (@ajtruckle)

    Hi, I have now received an updated plugin for C4WP and they tell me that these issues are now fixed. I have sent a couple of test reviews to myself and will see if your plugin’s action gets listed in my recaptcha console panel. I assume I won’t see results until tomorrow.

    Are you able to verify? Same link as before.

    I am assuming it is now working because I see your badge below the form now and I don’t think I did before.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Verifying reCAptcha tokens’ is closed to new replies.