Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reCaptcha v2 does not work if third party cookies are disabled and does not give feedback to the user #155

Closed
DanielaValero opened this issue Apr 25, 2017 · 14 comments
Labels

Comments

@DanielaValero
Copy link

@DanielaValero DanielaValero commented Apr 25, 2017

When the third party cookies are disabled in the browser, the selection of the user of the tiles, does not get stored, therefore the user is not able to solve the captcha.

It is true, that if the user disables explicitly the third party cookies, or enters the browser in a privacy mode, they would know that any feature that requires cookies will not work as expected.

However, is also true, that in order to provide a better user experience, we should give feedback to the user, when a feature is not working.

Would it be possible to add a note to the user about this?

The feature would theoretically be something like this:

From the reCaptcha to detect if the cookies are not enabled, and if so, render a string to tell the user that the reCaptcha is not going to work, and in order to have it working, the user should enable the third party cookies in the browser.

Steps to reproduce

  1. Disable the third party cookies in chrome or FF
  2. Clean the cookies
  3. Reload the browser
  4. Go to any of the next links, and try to solve the reCaptcha when it shows the tiles

https://www.google.com/recaptcha/api2/demo
http://vividcortex.github.io/angular-recaptcha/

@mastix
Copy link

@mastix mastix commented Apr 25, 2017

We're facing the same issue. Our corporate browser has 3rd party cookies disabled by default, which means that we're having a hard time solving the reCaptcha riddles. :(

@Kasijjuf
Copy link

@Kasijjuf Kasijjuf commented Jul 3, 2017

What is the domain of the third-party cookie reCaptcha uses?

@timreeves
Copy link

@timreeves timreeves commented Mar 1, 2018

My own experience is, with Chromium and FF, both with 3rd party cookies turned off,
reCaptcha V2 can (nowadays) still be used, but it did try to set 2 cookies (blocked):

  • google.com / CONSENT
  • google.com / NID

And anyway it uses calls to 3rd party websites:

@theking2
Copy link

@theking2 theking2 commented May 20, 2018

Hi Tim,
With third party cookies disabled recaptcha does not really work. It keeps on asking new clicks for store fronts, roads, streetsigns and autobusses. After about 15 min of useless clicking Google servers seem to give up and assume that only a human being spends so much time aimless clicking.
What cookies should be enabled to have recaptcha working? (Sony is driving me crazy with this, why no implement a decent 2FA?)

@rowan-m
Copy link
Contributor

@rowan-m rowan-m commented Aug 1, 2018

This isn't directly related to the PHP code which is what this repo focuses on. However, you might want to look at the v3 support in the most recent release. That uses a wholly invisible reCAPTCHA that just returns a confidence score for the request. This might alleviate some of your issues. Example hosted at https://recaptcha-demo.appspot.com/recaptcha-v3-request-scores.php

@rowan-m rowan-m closed this Aug 1, 2018
@boop5
Copy link

@boop5 boop5 commented Oct 28, 2018

this is still an issue

@msc1
Copy link

@msc1 msc1 commented Jan 10, 2019

you can not follow any security and privacy practises with google recaptcha protecting a website. For years, we've (security/privacy concious people) been training your AI algorithms with the new versions of recaptcha. I am sick and tired off not being able to visit sites. A fix must be made or I think webmasters will turn away to alternative captcha solutions. There are very good alternatives around there.

@jamb0ss
Copy link

@jamb0ss jamb0ss commented Feb 8, 2019

fuck recaptcha

@vertigo220
Copy link

@vertigo220 vertigo220 commented Apr 11, 2019

Been posting in another issue, not directly related to this, but definitely part of the annoyance that is reCaptcha. While the cookie situation is likely partially innocent, i.e. a way to have a good idea of whether a "user" is a human or a bot, I'm convinced it's also at least partially designed to force Google cookies on systems regardless of other settings (blocking 3rd-party cookies, deleting Google cookies, etc) in order to prevent the massive time waste of having to do captchas all the time, and spend 3+ minutes on them each time. I'm also convinced they are, both in general and especially in these cases, using people to train their systems. Anyways, as discussed in the other issue, I have serious concerns about v3, and suspect it will be even worse than v2, since it will quite likely simply block people instead of offering them the ability to prove they're human (even if that does take FAR longer than it should and still often fail). And it seems to me the requirement for users to have Google cookies on their systems just to use a number of unrelated sites, not to mention the fact said cookies aren't even disclosed, is in violation of GDPR and possibly (though, sadly, unlikely) FTC rules.

@adriannadiaz
Copy link

@adriannadiaz adriannadiaz commented Apr 21, 2019

I am using the uBlock Origin Ad Blocker and no matter how many times I try to solve the ReCatpchas, and they show up everywhere (even my bank!) due to lazy web developers, it still does not accept I am a human, or at least I thought I was one until now, am I?

ReCaptcha is just a cookie-based scheme to put Google Cookies... There is in fact no smart heuristics detecting humans vs. robots. I refuse to work for Google and specially not if I am not getting a salary !!!

🤖

@u8is
Copy link

@u8is u8is commented Jun 15, 2019

I can't log in to several websites, because they use reCaptcha, which gives me 10-20 challenges/unpaid work assignments for Google, and then, upon completion, refuses to let me through. I assume this is because I block tracking domains and/or third-party cookies.

@chorliya
Copy link

@chorliya chorliya commented Feb 29, 2020

I've not seen the (backend) interface for reCAPTCHA, but I'm assuming there's a way to set for less screens to be displayed to the visiting user - that's different than (any) default settings. Very rarely I do come across a reCAPTCHA solve which lets me through after just one round (maybe two?); as opposed to the default three-or-more.

^^ So, in theory, webmasters could (re)configure to make everyone's lives easier - except this seems to be rarely done. :/

(edited for syntax)

@gingerlime
Copy link

@gingerlime gingerlime commented Jun 8, 2020

From my experience this is still an issue with reCaptcha v3 when 3rd party cookies are blocked (tested on latest Firefox / Mac). Not sure why this issue was closed... I guess if this repo is only about PHP code to integrate with reCaptcha? but the name/owner of the repo seems to suggest this is a generic Google/Recaptcha repo?

@sylvain261
Copy link

@sylvain261 sylvain261 commented Jun 8, 2020

Same issue with reCaptcha v3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.