How to verify recaptcha on client side as well as server site

Question

I'm building ReCaptcha in my website using below example. I want to know how can I verify this in client site and server site. Is it sufficient to verify whether user has checked the checkbox on client side and not check on server site? Also I need to count how many times users has failed to verify captcha.

<html>
  <head>
    <title>reCAPTCHA demo: Explicit render after an onload callback</title>
    <script type="text/javascript">
      var onloadCallback = function() {
        grecaptcha.render('html_element', {
          'sitekey' : 'your_site_key'
        });
      };
    </script>
  </head>
  <body>
    <form action="?" method="POST">
      <div id="html_element"></div>
      <br>
      <input type="submit" value="Submit">
    </form>
    <script src="https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit"
        async defer>
    </script>
  </body>
</html>

Does this answer your question? [Google reCAPTCHA: how to get user response and validate in the server side](https://stackoverflow.com/questions/27297067/google-recaptcha-how-to-get-user-response-and-validate-in-the-server-side) — Sandeep Sherpur, Dec 10 '19 at 11:57

score 1 · Answer 1 · answered Mar 18 '17 at 23:13

1

If you use the new invisible recaptcha, you can simply link it to your Submit button. You won't need to test if the user has "checked the checkbox", since there won't be one.

You always need to verify recaptcha on the server side. Clever bots can fake anything on the client side. Do you only want to protect against dumb bots?

The recaptcha API doesn't report the number of attempts. You just have to trust Google on this one. Some of the "select all images" challenges are ambiguous, and it is normal to need several attempts.

answered Mar 18 '17 at 23:13

Tom Robinson

1,850
1
15
14

How can I verify ReCaptcha on server side? – salesforce Developer Mar 19 '17 at 09:43
1

`$s = 'your-secret'; $r = $_POST['g-recaptcha-response']; $v = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=$s&response=$r"); echo json_decode($v)->success ? 'PASS' : 'FAIL';` – Tom Robinson Mar 20 '17 at 18:08

codneto · Answer 2 · 2017-03-21T18:31:24.463

How to verify recaptcha on client side:

Since you are not passing any data-* attributes on your target HTML element, you still have the option to pass them as parameters in grecaptcha.render() api options. Along with sitekey you can pass callback: function () {..}. The callback function will get called each time user is successfully verified, but there is no way to know how many times user failed verification challenge.

Another way to programmatically verify on client-side if user is verified human is by using grecaptcha.getResponse() api. If this api returns non-zero length string token, this it means user is verified. BTW, the token returned by this api is same that gets sent to server when submitting form, something to keep in mind in case you want to switch to ajax way of posting the form.

How to verify recaptcha on server side:

Submitted form should have a g-recaptcha-response POST parameter which needs to sent to recaptcha verification server to check its validity. Tom already posted PHP way of verifying it in a comment to his answer.

Can I rely on client side verification only:

No you can not. You must validate the token sent by client with recaptcha verification server. It side javascript can easily be highjacked to return false positive. A malicious bot can overwrite the api methods of recaptcha script and return its own values. You must therefore check with recaptcha verification server that token sent by client is valid.

How to verify recaptcha on client side as well as server site

2 Answers2