Google reCAPTCHA: How to get user response and validate in the server side?

by

The cool thing about the new Google Recaptcha is that the validation is now completely encapsulated in the widget. That means, that the widget will take care of asking questions, validating responses all the way till it determines that a user is actually a human, only then you get a g-recaptcha-response value.

But that does not keep your site safe from HTTP client request forgery.

Anyone with HTTP POST knowledge could put random data inside of the g-recaptcha-response form field, and fool your site to make it think that this field was provided by the google widget. So you have to validate this token.

In human speech, it would be like,

  • Your Server: Hey Google, there’s a dude that tells me that he’s not a robot. He says that you already verified that he’s a human, and he told me to give you this token as proof of that.
  • Google: Hmm… let me check this token… yes I remember this dude I gave him this token… yeah he’s made of flesh and bone let him through.
  • Your Server: Hey Google, there’s another dude that tells me that he’s a human. He also gave me a token.
  • Google: Hmm… it’s the same token you gave me last time… I’m pretty sure this guy is trying to fool you. Tell him to get off your site.

Validating the response is really easy. Just make a GET request to

https://www.google.com/recaptcha/api/siteverify?secret=your_secret&response=response_string&remoteip=user_ip_address

And replace the response_string with the value that you earlier got by the g-recaptcha-response field.

You will get a JSON Response with a success field.

More information here:
https://developers.google.com/recaptcha/docs/verify

Edit: It’s actually a POST, as per documentation here.

More Related Contents:

  1. Dynamic Drop down values based on another dropdown [closed]
  2. How to use JavaScript with Selenium WebDriver Java
  3. Spring JSON request getting 406 (not Acceptable)
  4. Simple calculator with JSP/Servlet and Ajax
  5. Java equivalent to JavaScript’s encodeURIComponent that produces identical output?
  6. How to detect the timezone of a client?
  7. Alternative to Jzebra/QZ Java Raw Print Plugin after NPAPI being dropped on Chrome Browser
  8. Converting a Java ArrayList of strings to a JavaScript array
  9. How can I use JavaScript in Java? [closed]
  10. How can I get stock quotes using Google Finance API?
  11. Call external javascript functions from java code
  12. Passing a JavaScript object using addJavascriptInterface() on Android
  13. How to overcome an HTMLUnit ScriptException?
  14. How to execute JavaScript on Android?
  15. Why does changing the sum order returns a different result?
  16. Javascript parser for Java [closed]
  17. Jsoup get dynamically generated HTML
  18. How to upload an image and save it in database? [duplicate]
  19. Remove empty collections from a JSON with Gson
  20. Set img src from Byte Array
  21. What’s the equivalent of Java’s Thread.sleep() in JavaScript? [duplicate]
  22. How to check whether a port is open at client’s network/firewall?
  23. Swing method akin to HTML5’s canvas.putImageData(arrayOfPixels, 0,0)
  24. How can I run JavaScript code at server side Java code?
  25. calling java method in javascript [closed]
  26. Recommendations for java captcha libraries [closed]
  27. Understanding Android’s webview addjavascriptinterface
  28. How to differentiate Ajax requests from normal Http requests?
  29. Getting Jsoup to support dynamically generated html by JavaScript
  30. Android WebView always returns null for javascript getElementById on loadUrl

Leave a Comment