Recaptcha keys expiring

  • Resolved elyrko

    (@elyrko)


    1 year, 2 months ago

    Why is your reCaptcha executed on page load not on the action like specified on google’s documentation?
    https://developers.google.com/recaptcha/docs/v3

    Note:?reCAPTCHA tokens expire after two minutes. If you’re protecting an action with reCAPTCHA, make sure to call?execute?when the user takes the action rather than on page load.

    Users should not see this message regarding the captchas, is this a technical error or is there a reason on why it’s not set properly for user login/register actions?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support andrewsupport

    (@andrewsupport)

    Hi,

    The main thing is that we cannot intercept the submission in every form.
    We have compatibility with many forms, some of them handle the submit themselves and we have no way to intercept the event.
    Not all versions support grecaptcha.execute on submit, because the callback occurs earlier, and when the captcha is already loaded, it takes about 2 minutes to validate it.
    If the user downloaded the page and then submitted the form, it will be a pity if the captcha is already expired and the form does not pass validation. So we output the expiration message.

    Thank you for bringing this issue to your attention.
    We may think about developing the functionality of captcha loading by event – this will be a setting if the form supports and the option is selected.

    Thread Starter elyrko

    (@elyrko)

    I understand, but my concern was with wordpress default forms. Forms that are submitted to /wp-login.php endpoint. Even with custom forms shouldn’t it be a solution to intercept it then? Like telling the user to add a specific class/attr/id and then preventing the default submit until the recaptcha is verified and then continueing with the submission?

    Something like:

    let is_verified = false;
    jQuery('form').on('submit', function(e){
    if(is_verified){
    // jQuery('form').submit();
    }else{
    // vverify captcha?
    is_verified = true;
    }
    });

    This is obviously untested but shouldn’t it work?

    • This reply was modified 1 year, 2 months ago by elyrko.
    Plugin Support andrewsupport

    (@andrewsupport)

    The fact is that we cannot always intercept events from a custom form, everything depends on the form itself. If it has its own js function, the form can prevent data from being passed to other scripts and then our check will never work.
    You can use Custom code to write the js you need specifically for your form and do all the checks there.
    Therefore, if you need to have a captcha on the form that then transfers data to /wp-login.php, then you put 2 checkboxes – use the captcha in your custom form and in the login form.
    Unfortunately, the reverse situation – when the login form has a captcha, but the custom form does not – cannot be done. If your form uses /wp-login.php, the data will be loaded in the database – either during registration or during login.
    This situation requires the use of a captcha. Therefore, our recommendation is to use captcha in both forms.
    If you need help, please contact us through the Help Center.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Recaptcha keys expiring’ is closed to new replies.