Google reCAPTCHA:如何在服务器端获得用户响应并进行验证? [英] Google reCAPTCHA: How to get user response and validate in the server side?

问题描述

我正在做一个Java(JSP + Servlet)Web应用程序(我知道这个问题与技术无关).我希望使用最新的Google reCAPTCHA服务.

我正在使用此处找到的Google reCAPTCHA示例:

https://developers.google.com/recaptcha/docs/display#config

<html>
  <head>
    <title>reCAPTCHA demo: Simple page</title>
     <script src="https://www.google.com/recaptcha/api.js" async defer></script>
  </head>
  <body>
    <form action="?" method="POST">
      <div class="g-recaptcha" data-sitekey="my_site_key"></div>
      <br/>
      <input type="submit" value="Submit">
    </form>
  </body>
</html>

我能够看到显示的recaptcha图像，如下所示:

当我选中我不是机器人"时，我得到以下信息:

如您所见，有一个验证"按钮，根据我的测试，用户响应会发送到Google进行验证.

如何获取用户响应，以便可以使用自己的后端代码验证用户响应(如Google在 https://developers.google.com/recaptcha/docs/verify ).

g-recaptcha-response POST parameter when the user submits the form on your site

在服务器端，我可以点击提交"按钮，从参数"g-recaptcha-response"获取用户输入.仅当首先通过Google成功验证用户时.否则，"g-验证码-响应"将被发送.在服务器端为空白.这意味着我只能在客户端验证成功之后才能进行服务器端验证.如果是这样，那么Google reCAPTHA提供的在服务器端进行另一次验证的目的是什么?

我想念什么吗?

解决方案

关于新Google Recaptcha的一件很酷的事情是，现在验证已完全封装在小部件中.这意味着该小部件将负责询问问题，一直验证答复，直到确定用户实际上是人类为止，然后您才得到 g-recaptcha-response 值.

但这不能使您的网站免受HTTP客户端请求伪造的侵害.

任何具有HTTP POST知识的人都可以将随机数据放入 g-recaptcha-response 表单字段中，并跟踪您的网站，使其认为该字段由google小部件提供.因此，您必须来验证此令牌.

用人类的话来说，

• 您的服务器:嘿Google，有个家伙告诉我他不是机器人.他说您已经证实他是人类，他告诉我给您这个令牌作为证明.
• Google :嗯...让我检查一下这个记号...是的，我还记得这个家伙，我给他这个记号...是的，他是用肉做成的骨头让他通过.
• 您的服务器:嘿Google，还有一个家伙告诉我他是人.他还给了我一个令牌.
• Google :嗯...这是您上次给我的令牌...我敢肯定，这家伙正试图欺骗您.告诉他离开您的网站.

验证响应非常容易.只需发出GET请求即可

https://www.google.com. com/recaptcha/api/siteverify?secret = your_secret& response = response_string& remoteip = user_ip_address

并将 response_string 替换为您先前在 g-recaptcha-response 字段中获得的值.

您将获得带有成功字段的JSON响应.

更多信息在这里: https://developers.google.com/recaptcha/docs/verify

根据此处的文档，它实际上是一个POST.

I am doing a Java (JSP + Servlet) web application (I understand that this question is technology-independent). I hope to use the latest Google reCAPTCHA service.

I am playing with a Google reCAPTCHA example found here:

https://developers.google.com/recaptcha/docs/display#config

<html>
  <head>
    <title>reCAPTCHA demo: Simple page</title>
     <script src="https://www.google.com/recaptcha/api.js" async defer></script>
  </head>
  <body>
    <form action="?" method="POST">
      <div class="g-recaptcha" data-sitekey="my_site_key"></div>
      <br/>
      <input type="submit" value="Submit">
    </form>
  </body>
</html>

I am able to see the displayed recaptcha image as follows:

When I check "I'm not a robot", I get the following:

As you can see, there is a Verify button and based on my tests, user response is sent to Google for verification.

How can I get the user response so that I can verify user response in my own backend code (as suggested by Google at https://developers.google.com/recaptcha/docs/verify).

g-recaptcha-response POST parameter when the user submits the form on your site

On the server side, I can, by clicking on the "Submit" button, get user input from parameter "g-recaptcha-response" only when a user is verified successfully with Google first. Otherwise, "g-recaptcha-response" is blank on the server side. This means that I can do server-side verification only after the client-side's verification success. If so, what is the point of doing another verification on the server-side, which is the option provided by Google reCAPTHA?

Do I miss anything?

解决方案

The cool thing about the new Google Recaptcha is that the validation is now completely encapsulated in the widget. That means, that the widget will take care of asking questions, validating responses all the way till it determines that a user is actually a human, only then you get a g-recaptcha-response value.

But that does not keep your site safe from HTTP client request forgery.

Anyone with HTTP POST knowledge could put random data inside of the g-recaptcha-response form field, and foll your site to make it think that this field was provided by the google widget. So you have to validate this token.

In human speech it would be like,

• Your Server: Hey Google, there's a dude that tells me that he's not a robot. He says that you already verified that he's a human, and he told me to give you this token as a proof of that.
• Google: Hmm... let me check this token... yes I remember this dude I gave him this token... yeah he's made of flesh and bone let him through.
• Your Server: Hey Google, there's another dude that tells me that he's a human. He also gave me a token.
• Google: Hmm... it's the same token you gave me last time... I'm pretty sure this guy is trying to fool you. Tell him to get off your site.

Validating the response is really easy. Just make a GET Request to

https://www.google.com/recaptcha/api/siteverify?secret=your_secret&response=response_string&remoteip=user_ip_address

And replace the response_string with the value that you earlier got by the g-recaptcha-response field.

You will get a JSON Response with a success field.

More information here: https://developers.google.com/recaptcha/docs/verify

Edit: It's actually a POST, as per documentation here.

这篇关于Google reCAPTCHA:如何在服务器端获得用户响应并进行验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！