Reputation: 149
I've just started to experiment with Google's reCAPTCHA tool/service and am puzzled as to how it seems to be working. I've followed the guide for the 2.0 version which appears to be working for me (on my localhost) - but I haven't yet had to use the secret key. Is the secret key only necessary when host/domain is not "localhost"?
Our website relies on DWR (AJAX) instead of form submissions to interact with our backend, so I was expecting to have to somehow capture the user's response and send it to our DWR java method where I would then POST it to Google's verification service URL. I didn't seem to need to do that though.
I've added these to my main jsp file:
<script src='https://www.google.com/recaptcha/api.js?onload=onloadCaptchaCallback&render=explicit' async defer></script>
...
<div id="captchaDiv"></div>
and then the javascript I've added is:
var onloadCaptchaCallback = function() {
grecaptcha.render('captchaDiv', {
'sitekey' : 'MYSITEKEY',
'callback' : verifyCaptchaCallback
});
}
var verifyCaptchaCallback = function(g_recaptcha_response) {
console.log("Response validated. Not a robot.");
// thought I would need to add DWR (AJAX) call here to verify the response
// but this callback is only getting called on a successful response
// anyway - so no need to verify with google's service URL?
}
and the verifyCaptchaCallback function is only getting called when the user has satisfied the challenge. I haven't used the secret key yet. Am I missing something? Or is this how the version 2 is expected to work - without need for server side processing? I see that when I click the Verify button on the challenge image dialog, that a POST is sent to google and evidently returns with a fail/succeed flag that causes the reCAPTCHA to either present another image challenge, or stop. I'm not manually sending result to google's verification service URL - it appears to be happening automatically. Is this behavior only happening because I'm still testing on my developer system with "localhost" - and the behavior will fail once the webapp is moved to our customer system?
Thanks for any clarification you can provide. Gregor
Upvotes: 2
Views: 6029
Reputation: 6277
You do need to verify user clicks. See how the reCaptcha works and how to insert it.
no need to verify with google's service URL?
You still need to verify using g_recaptcha_response
value. But you need to do it server-side! When the form is submited to the server you have ex. POST['g_recaptcha_response']
on your server.
var verifyCaptchaCallback = function(g_recaptcha_response) {
console.log("Response validated. Not a robot.");
// you can't do this now, since 'g_recaptcha_response' is an encoded value, neither true, nor false.
}
header('Content-type: application/json');
$url=https://www.google.com/recaptcha/api/siteverify;
$response=POST['g_recaptcha_response'];
$secret = "<secter_key>"; // you add secret key server side
$params = array('secret'=> $secret, 'response'=> $response);
$json=file_get_contents( $url . '?secret=' . $secret . '&response=' . $response);
echo $json; // here should be 'true' or 'false'
why is a further step to verify against google's siteverify URL necesssary?
Because after the first (user) verification only Google knows if user is bot or not. It updates reCaptcha frame with green tick (or not) and creates hidden g-recaptcha-response
textarea tag with returned but encoded value in the tag, but you (site owner at server side) have no clue if user is true or false. So using this g-recaptcha-response
value whether from textarea or from the callback input parameter you may verify current user at your site (using site's secret key). Do it only server side so that you'd not expose a secret key.
If it is necessary - could it be done without PHP?
Sure, it can be done. You just send to the server g-recaptcha-response
value and there with Java (or other server tool) you request Google server if site is verified (read here the docs). Then at the server side you know if user is bot a human. Use any technique to return the result to the client.
You might also benefit from my auto submit reCaptcha answer.
Upvotes: 4