reCaptcha v2 does not work if third party cookies are disabled and does not give feedback to the user

[DanielaValero]

When the third party cookies are disabled in the browser, the selection of the user of the tiles, does not get stored, therefore the user is not able to solve the captcha.

It is true, that if the user disables explicitly the third party cookies, or enters the browser in a privacy mode, they would know that any feature that requires cookies will not work as expected.

However, is also true, that in order to provide a better user experience, we should give feedback to the user, when a feature is not working.

Would it be possible to add a note to the user about this?

The feature would theoretically be something like this:

From the reCaptcha to detect if the cookies are not enabled, and if so, render a string to tell the user that the reCaptcha is not going to work, and in order to have it working, the user should enable the third party cookies in the browser.

Steps to reproduce

1. Disable the third party cookies in chrome or FF
2. Clean the cookies
3. Reload the browser
4. Go to any of the next links, and try to solve the reCaptcha when it shows the tiles

https://www.google.com/recaptcha/api2/demo
http://vividcortex.github.io/angular-recaptcha/

[mastix]

We're facing the same issue. Our corporate browser has 3rd party cookies disabled by default, which means that we're having a hard time solving the reCaptcha riddles. :(

[Kasijjuf]

What is the domain of the third-party cookie reCaptcha uses?

[timreeves]

My own experience is, with Chromium and FF, both with 3rd party cookies turned off,
reCaptcha V2 can (nowadays) still be used, but it did try to set 2 cookies (blocked):

• google.com / CONSENT
• google.com / NID

And anyway it uses calls to 3rd party websites:

• fonts.gstatic.com
• www.gstatic.com Logo, JS, CSS
• www.google.com reCaptcha-API, JS

[theking2]

Hi Tim,
With third party cookies disabled recaptcha does not really work. It keeps on asking new clicks for store fronts, roads, streetsigns and autobusses. After about 15 min of useless clicking Google servers seem to give up and assume that only a human being spends so much time aimless clicking.
What cookies should be enabled to have recaptcha working? (Sony is driving me crazy with this, why no implement a decent 2FA?)

[rowan-m]

This isn't directly related to the PHP code which is what this repo focuses on. However, you might want to look at the v3 support in the most recent release. That uses a wholly invisible reCAPTCHA that just returns a confidence score for the request. This might alleviate some of your issues. Example hosted at https://recaptcha-demo.appspot.com/recaptcha-v3-request-scores.php

[boop5]

this is still an issue

[Identity9165]

you can not follow any security and privacy practises with google recaptcha protecting a website. For years, we've (security/privacy concious people) been training your AI algorithms with the new versions of recaptcha. I am sick and tired off not being able to visit sites. A fix must be made or I think webmasters will turn away to alternative captcha solutions. There are very good alternatives around there.

[jmb0z]

fuck recaptcha

[vertigo220]

Been posting in another issue, not directly related to this, but definitely part of the annoyance that is reCaptcha. While the cookie situation is likely partially innocent, i.e. a way to have a good idea of whether a "user" is a human or a bot, I'm convinced it's also at least partially designed to force Google cookies on systems regardless of other settings (blocking 3rd-party cookies, deleting Google cookies, etc) in order to prevent the massive time waste of having to do captchas all the time, and spend 3+ minutes on them each time. I'm also convinced they are, both in general and especially in these cases, using people to train their systems. Anyways, as discussed in the other issue, I have serious concerns about v3, and suspect it will be even worse than v2, since it will quite likely simply block people instead of offering them the ability to prove they're human (even if that does take FAR longer than it should and still often fail). And it seems to me the requirement for users to have Google cookies on their systems just to use a number of unrelated sites, not to mention the fact said cookies aren't even disclosed, is in violation of GDPR and possibly (though, sadly, unlikely) FTC rules.

I am using the uBlock Origin Ad Blocker and no matter how many times I try to solve the ReCatpchas, and they show up everywhere (even my bank!) due to lazy web developers, it still does not accept I am a human, or at least I thought I was one until now, am I?

ReCaptcha is just a cookie-based scheme to put Google Cookies... There is in fact no smart heuristics detecting humans vs. robots. I refuse to work for Google and specially not if I am not getting a salary !!!

🤖