reCAPTCHA for guests not working

[Mayhem30]

I've enabled reCAPTCHA for guest posting and have verified my site & secret key is correct. The captcha box does not show up anywhere and when trying to post anything, I receive this error message :

Oops! We ran into some problems.
You did not complete the CAPTCHA verification properly. Please try again.

This message also appears if I enable "Use invisible reCAPTCHA".

 

[Matthew H]

I recommend not using reCAPTCHA or any variation of it. It was cracked a year or two ago.

My own research into verification methods taught me that Q&A's are most effective. Simply define a question no spambot could ever circumvent and you're gold. For example, this is what I came up with:

Q: Enter the first five letters of the word 'xenomorph' backward.

 

[Chris D]

I've enabled reCAPTCHA for guest posting and have verified my site & secret key is correct. The captcha box does not show up anywhere and when trying to post anything, I receive this error message :

Oops! We ran into some problems.
You did not complete the CAPTCHA verification properly. Please try again.

This message also appears if I enable "Use invisible reCAPTCHA".

If you want to use the invisible CAPTCHA then it needs to be enabled when you are creating your site and secret key. The keys are not interchangeable so if it was set up with Invisible then you must use the "Use invisible reCAPTCHA" option. If it wasn't, then you can't. So make sure that part is set up correctly in the first instance.

Aside from that, there's no real expectation of this to be not working. Here's a guest post being created using invisible CAPTCHA:



And non invisible:



So for now I recommend trying things with no add-ons enabled, on the default style, etc.

I recommend not using reCAPTCHA or any variation of it. It was cracked a year or two ago.

This is partly true. reCAPTCHA has been cracked a few times in its life time. It responds by adapting. FWIW I'd be more comfortable using reCAPTHA than I would the Q&A CAPTCHA you have set up.

Most spam bots can comprehend questions such as first five letters, forwards/backwards, basic maths etc. and even if they can't on specific, it will be manually cracked at some point. Your Q&A questions can't adapt to being cracked (unless you're constantly changing them). Google can.

 

[Matthew H]

Most spam bots can comprehend questions such as first five letters, forwards/backwards, basic maths etc. and even if they can't on specific, it will be manually cracked at some point. Your Q&A questions can't adapt to being cracked (unless you're constantly changing them). Google can.

Oh wow. I had no idea. Thank you for enlightening me. As of now, I've switched to reCAPTCHA V2.

 

[Mayhem30]

I'm still having the same issue. The captcha stopped working for me as soon as I upgraded to Xenforo 2. This is a fresh upgrade with no addons installed.

When I view the source my forum page, it does not contain the "<script src='https://www.google.com/recaptcha/api.js'></script>" code.

 

[Chris D]

Just to avoid any confusion, the CAPTCHA is dynamically loaded in as soon as the editor is focused (it won't appear in the page until then).

Does it appear when you click inside the editor? Do you have any errors appearing in the browser console after you click inside the editor?

 

[Mayhem30]

On page load :

Mixed Content: The page at 'https://example.com/...' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/job.php'. This request has been blocked; the content must be served over HTTPS.

When I click inside the editor :

Mixed Content: The page at 'https://example.com/...' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint. http://example.com/index.php?misc/captcha... This request has been blocked; the content must be served over HTTPS.

 

[Chris D]

Ok. That would explain it.

It sounds like you’re serving the page over HTTPS but some parts of the page are loading over HTTP. Specifically AJAX requests don't appear to be going over HTTPS.

This can be a web server configuration issue.

Specifically, your full base URL is being detected as http - this is the value your web server is giving out.

Often the easiest thing to do is to add the following to your config.php file:

$_SERVER['HTTPS'] = 'on';

 

[Mayhem30]

Specifically, your full base URL is being detected as http - this is the value your web server is giving out.

What PHP code are you using to detect this? I'd like to try and fix this, as it could effect my future sites when they are converted over to HTTPS.

Often the easiest thing to do is to add the following to your config.php file:

This solved this issue - reCAPTCHA is working again. Thank you.

 

[Chris D]

We're essentially just using basic PHP $_SERVER variables including $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME']. So the issue lies with the values your web server is populating PHP with internally.

Incidentally, when we've seen this before it has been with some pretty old versions of nginx so it might be worth checking nginx is up to date. Though equally it could just be how nginx is configured.

 

[Mike]

Are you using any sort of reverse proxy or load balancer which is doing SSL termination? If so, that might explain it as the request isn't actually reaching XF as SSL. XF2 tries to detect this more though, but we'd need to see what headers/server variables are being exposed to PHP to see what indicates that the request is happening via SSL.

 

[Mayhem30]

I'm using the latest stable nginx 1.12 in front of apache 2.4.

I see that phpinfo(); does not contain any variables to indicate that an SSL connection took place. I will look in to this today and see what can be done in my nginx config to change this. I will get back to you if I have any success.

 

[Mayhem30]

I see what's going on. When I "ProxyPass" PHP files from Nginx to Apache for processing, It's done via HTTP (not HTTPS). So when Apache receives the response, it's from an unsecured connection. Since I have both Nginx and Apache on the same server and communicating via localhost, it's not necessary for me to change that.

Handling it this way also saves me from loading the SSL PHP extension.

 

[CFMack]

My own research into verification methods taught me that Q&A's are most effective. Simply define a question no spambot could ever circumvent and you're gold.

The problem we were running into with that is that potential new members were getting frustrated with having to look up the answer to my question. I even received 2 PMs on Facebook that they couldn't enter the correct response.