How can I use reCAPTCHA v2 on a large number of do

2019-02-17 07:17发布

站内问答 / 前沿技术
1788 2 4

The previous version of reCAPTCHA provided the option to make a global key which would work on any domain. Now, in version 2, that option is gone, and the reCAPTCHA site claims that "Global Keys are not supported in the V2 API."

I'm working with a large number of domain names that can change frequently without my intervention, and I don't want to have to add each new domain to the key.

Is there a way to get reCAPTCHA to work on any domain without specifically authorizing each one?

2条回答
Viruses.
2楼-- · 2019-02-17 08:01

NOTE: This applies to a previous version of the reCAPTCHA API. See the other answer for an updated solution.

This doesn't seem to be well-known, but reCAPTCHA's documentation mentions that a Secure Token can be used to have one key working on a large number of domains. This feature seems to be exactly designed for this type of situation.

It's created by encrypting a JSON string with your site secret, but the documentation doesn't say exactly what encryption method to use. Here's some PHP code I've used to get it working in one of my projects. This should help with whatever language you're working with.

$token = json_encode(array(
    'session_id' => bin2hex(openssl_random_pseudo_bytes(16)), // Random ID; no special format
    'ts_ms' => intval(round(microtime(true) * 1000))) // Time in milliseconds
);

$secret_key = '{reCAPTCHA secret key}';
$secret_key_hash = substr(hash('sha1', $secret_key, true), 0, 16);

$stoken_bin = openssl_encrypt(
    $token,
    'AES-128-ECB', // Encryption method
    $secret_key_hash,
    OPENSSL_RAW_DATA // Give me the raw binary
);

// URL-safe Base64 encode; change + to -, / to _, and remove =
$stoken = strtr(base64_encode($stoken_bin), array('+'=>'-', '/'=>'_', '='=>''));
查看更多
0人赞 添加讨论(0) 举报
可以哭但决不认输i
3楼-- · 2019-02-17 08:18

It is possible to implement reCAPTCHA Version 2.0 without verifying each domain: https://developers.google.com/recaptcha/docs/domain_validation

To do so, visit the admin console and click the API key in question under "Your reCAPTCHA Sites". Then under "Advanced Settings", uncheck "Verify the origin of reCAPTCHA solutions".

Security Warning

Per Google, doing this creates a security risk that then requires you to check the hostname yourself.

Turning off this protection by itself poses a large security risk - your key could be taken and used by anyone, as there are no restrictions as to the site it's on. For this reason, when verifying a solution, you are required to check the hostname field and reject any solutions that are coming from unexpected sources.

Related Link: (from "Stack Exchange Information Security")
- Why bother validating the hostname for a Google Recaptcha response?

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)