• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed ReCaptcha Secure Token Deprecation

Jake B.

Well-known member
#1
I've gotten a ton of these emails recently, seems Google is changing how their ReCaptcha API works. The Secure Token isn't required anymore and now they're forcing domain validation. At least that's what I got out of this

Hi Webmaster,


You are receiving this email because your site is using the reCAPTCHA secure token. This feature has been deprecated and will be turned off on May 18th, 2016.


  • If you have a small number of domains, please list them in the admin console domain box.

  • If you cannot list every domain or have greater than 50 domains, you can find “Advanced Settings” in the admin console and untick the “Domain Name Validation” checkbox.
domain_name_validation.png

After that, your current key will continue working for all of the domains you are hosting but to maintain security, you are required to check the hostname of the solution on your side.


Please let us know if you have any questions and we are glad to help.


Thank you,


reCAPTCHA Support
 

Chris D

XenForo developer
Staff member
#2
The site you got this alert for, is it using the old reCAPTCHA or the new "I'm not a robot" reCAPTCHA?

EDIT: I actually can't see that we use the secure token anywhere...
 

Jake B.

Well-known member
#3
The site you got this alert for, is it using the old reCAPTCHA or the new "I'm not a robot" reCAPTCHA?

EDIT: I actually can't see that we use the secure token anywhere...
Nope, it's using the 'new' No CAPTCHA one

Screen-Shot-2016-05-10-at-10.57.25-AM.png

Is the secret key and secure token not the same thing? I'm not really familiar with NoCaptcha, but if not then I guess this can be closed :p
 

Chris D

XenForo developer
Staff member
#4
Yeah it's not the same thing.

That said, this does perhaps highlight some verification we're not actually doing so I'm going to escalate this to a bug.

It seems like we should have been doing the secure token validation but I don't think we are and alternatively we should be doing the hostname validation so we should look at adding that.
 

Chris D

XenForo developer
Staff member
#5
On closer inspection of the documentation, there's not necessarily anything we need to do here.

We do not make use of the secure token parameter. Also hostname validation happens automatically by default. However, there is an option to turn that off. Therefore as a precaution we are now also doing domain validation just to cover all bases. On that note, we'll call this fixed for the next release :)

Thanks.