Contrib.social

reCAPTCHA ignores “Omit challenges in a multi-step/preview workflow…" setting

Open on Drupal.org →
Created on 30 May 2023, over 1 year ago
Updated 27 February 2024, 10 months ago

Problem/Motivation

We are using reCAPTCHA module with CAPTCHA module. In multi-step forms, users are presented with the reCAPTCHA test on each page. Selecting the CAPTCHA setting to “Omit challenges in a multi-step/preview workflow once the user successfully responds to a challenge” does not change this behavior. If using the standard math CAPTCHA, this setting results in the challenge presented on the first page of the form, and after successful completion of the challenge, the rest of the form pages are challenge-free, as intended.

Steps to reproduce

On a site with CAPTCHA and reCAPTCHA modules enabled:

  • select the “Omit challenges in a multi-step/preview workflow once the user successfully responds to a challenge” option at /admin/config/people/captcha
  • set up a multi-page Webform
  • add a CAPTCHA element independent of any page element (so it is not under any page element); use reCAPTCHA as the challenge type
  • as an anonymous user, complete the first page of the Webform, and on arrival at the subsequent pages, observe the need to complete the reCAPTCHA challenge each time
  • edit the Webform, changing the CAPTCHA challenge type to Math
  • as an anonymous user, complete the first page of the Webform, and on arrival at the subsequent pages, observe the lack of a need to complete the Math challenge each time.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Needs work

Version

4.0

Component

General

Created by

🇺🇸United States byronveale

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

  • Issue created by @byronveale
  • Comment over 1 year ago
    🇺🇸United States byronveale

    Edited the issue as further testing bore out the fact that adding the CAPTCHA element to a specific page in the Webform mitigates this issue. A user would only need to redo the reCAPTCHA if they navigated back to the page with the CAPTCHA.

    So there is still an issue here as the Math challenge type behaves as expected, i.e. once completed, do not need to redo.

  • Comment over 1 year ago
    🇩🇪Germany Anybody Porta Westfalica

    Confirming this issue! For us it always happens on the second webform page already, without the user having to go back to the first step.

    We placed the CAPTCHA Webform element at the root level, before the Submit button, is that correct?
    Math captcha 100% works as expected and doesn't block the form, while the multistep form simply can't be proceeded using reCaptcha

    Gaining priority for that reason.

  • Comment over 1 year ago
    🇩🇪Germany Anybody Porta Westfalica

    Update: This can be mitigated by moving the reCaptcha INTO the first step and NOT having it at the top level of Webform elements before the submit button.

    So it *might* also be a Webform issue, if it doesn't happen in other Multistep forms, I'm not sure. But still unexpected, so I'll keep the status.

  • Status changed to Needs work 12 months ago
  • Comment 12 months ago
    🇩🇪Germany Anybody Porta Westfalica
  • Comment 10 months ago
    jErry_jakcson

    So it *might* also be a Webform issue, if it doesn't happen in other Multistep forms, I'm not sure. But still unexpected, so I'll keep the status.

    I'm facing the same problem with my custom multistep forms.

    One observation is that the persistence mechanism and the mentioned option in the captcha module rely on the captcha status stored in the captcha_sessions table. However, it appears that the captcha status is not being updated at all within the ReCaptcha module.

    Additionally, I'm unsure whether the ReCaptcha module needs to perform the action mentioned. It might be the responsibility of the captcha module. The captcha status isn't managed if the cacheable attribute during the generation operation is set, which is the case with ReCaptcha.

    To me, it makes more sense for the captcha status to be managed entirely by the captcha module.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024