When i use RECAPTCHA 3 on an Umbraco form and the submission fails validation it just reloads the form with no error message to the user. Is this expected behaviour?
Hey @danimalx
No, this is not the expected behavior. Can you share more details on it like what configuration you have set? Like Google reCaptcha will follow the below scenarios:
- Make sure the Google reCaptcha Key is configured.
- Domain has been set up along with Google reCaptcha configuration.
Are you getting any errors in the console?
No error in the console. I noticed it initially when I hadn’t added localhost to the Google reCaptcha console. Once that was added it worked but as I say there was no error message. Then I turned up the sensitivity to 1 and put in spammy data to the form and it did the same thing, reloaded the form with no message.
Yeah @danimalx
You are right, seems like when we set the Score threshold to 1, It is not handled. May be you can make it lower it will work, I just checked it.
If i lower the threshold it works, in that the form is processed. The problem is if there is spam or suspected spam then the form does not return an error message it just reloads.
There has been research published (journal published) showing that the recaptcha system does not work (I have had it fail entirely with new clients and they immediately had bots submitting forms) and in fact bots have an easier time of convincing the system they are real than most people. This has been the case for at least 13 years.
The best method I have had luck with over the years was developing my own submission validation on the fields, looking for particular ‘calling cards’ of bots and poor data, parameterise everything (this should have been a std thing since the 80’s but so many places don’t do it)
The research I mention has also calculated how much google has earned off using the data for tracking people and selling the data (as it is a tracking system underneath) and it hovers around the $1 trillion USD.
I’ve reverted to the V2 ReCaptcha which works fine for my purposes.
It is well known by now that reCaptcha v2 has long not worked for bot traffic and v3 is also not effective, for example:
If you have an actual bot problem, do check out this plugin for Forms that offers Cloudflare Turnstile, which is still and effective tool.
One of the other tricks you can do is have all your forms include a fake input that is hidden but ‘looks’ legit to a bot. On the controller you then look to see if that field has been filled out.
Won’t get em all, but it was surprising how many bots would dump data into that field even when it is obviously hidden.
Yeah, I’ve used that, it’s called a honeypot and works quite well sometimes, but it has to be kind of obscure because bots have learned to work around them quite well if they’re obviously named.
a good trick to use is a dupe of an existing field that might need confirmation, like email and email confirmation, then by server date or some other changing but predictable factor you can select which one should be blank. You could also randomise it and in validation just look for one to be blank.
The hard part I have really found is making the form work for accessibility with this, that can be an absolute bugger.
I will often also have false-positive submissions. So there are a bunch of checking fields, and when they are all filled out you can pretend the submission worked and log the behaviours. Then lookup how they are working and mod some stuff in the background to then just kick any connection trying to pull the same stunts.
TBH the only issue I ever had with Umbraco (v7 I think?) was someone using the backoffice login form to email messages to me. I don’t think they ever even knew where they were going.
The other thing I do is I have a spam scanner I built that runs whenever someone submits a form that looks for common attacks, keywords, manual attachments being attempted, or any html so it never bothers submitting the form if any of those flags are raised. Discovered a new type of SQL injection attack this way 