V3 reCAPTCHA not showing in form

I presume you've swapped "YOUR-LOCAL-KEY" for your actual key, right?

Does the JavaScript console in developer tools (hit F12 in your browser) show any errors?

No errors.
That is what is so weird about this: there are no errors.

And yes, I am the one who wrote the "YOUR-LOCAL-KEY," replacing my original key.

Here is a test page with it running live.
https://www.waynebarron.com/test/recaptcha.asp

It seems I might be looking at this V3 reCaptcha like V2.
I am used to having something to challenge my visitor with, but looking at this demo.
https://www.waynebarron.com/test/recaptchav3.asp
It seems that it is done differently, and without a challenge.
And if that is the case, then what is the purpose.
Clearly, something is not showing up or doing right in my demos.

Could someone please confirm this?

Sorry, that was my fault. I've been a little under the weather today and I probably shouldn't have been trying to answer questions earlier today.

You're correct in that v3 doesn't have any challenge that the user sees. The way it works is that once you run execute(), it will perform operations that will calculate the probability that the current user is human vs. a bot.

You get back a time-limited (2 minutes) token, which is passed in the JavaScript callback:

...then(function (token) {
});

You include that token as another field in your form submission.

On the server side that processes the form submission, you get the form fields as well as the token. Then the server sends that token over to Google to verify it. In response, you'll get a JSON string back which contains the official thumbs up or down on whether the submission is legitimate.

From there you can decide what to do with the submission and how to respond to the user.

I like the idea you have here.
Though the site I'm currently working on, such a system would not be needed.
However, the other site(s) I have, which will soon be upgraded to a new design, will need such a feature.

I would like to dabble with your concept a little more.

Another option.
Obtaining the visitors IP Address (Which I've been doing for years)
And then compare the IP Address with the following submission within a given timeframe.

I designed a Forum a few years ago, which I implemented into it.
If a user submitted a post and then submitted again, either by accident or to spam, it would tell them they have to wait 10 minutes before submitting another post, regardless of whether it was on the same thread or not.

The only catch with that is that we're still mostly on IPv4 and there's an ever-increasing sharing of IPv4 addresses using NAT. It used to be mostly just businesses where you'd have one or two public IPs and all the employees inside the firewall shared those public IPs. Nowadays a lot of families have multiple family members with their own computers and the whole family is sharing one public IP.

So if you had two kids who were both engaged users on some video game forum, for example, you could have two legitimate, individual users with different sessions coming from the same IP.

The concept might work at a low volume of traffic (although it's still somewhat punishing to legit users who want to post more than once in a 10 minute period) but will run into accuracy problems as volume increases.

I did not think about the firewall issue, as that is the way 100% of households and businesses are.
So, you are right; that would put a damper on that idea unless I grabbed the computer name and IP address, added a session, and made it a 1-minute window between posts.

I got the 10-minute window from an old classic asp forum I was a member of years ago. They had a 10-minute window between posts as some users would go around and spam the threads with links to their forums, trying to get people over to them, so the moderator swapped it from 1 minute to 10 minutes.
And I am pretty sure it caused some issues. However, I was not a member on the forum for long to notice a problem, as I was mainly on the site helping to answer questions, so I had a pass on the 10 minutes; mine was still sitting at 1 minute.

> unless I grabbed the computer name
To my knowledge, you can't grab the computer name without resorting to using ActiveX, which is probably going to be universally blocked these days. But even if you could, there's no guarantee of it being unique.

Another problem with IP-based stuff is that it's not too hard to spoof your IP. So if you got a legitimate session, then basically ran a script to spam 1000 HTTP requests to your server with 1000 unique IPs, your server wouldn't be able to tell the difference unless you recorded the original IP into the session (which could be a problem for outbound load balancers). Granted, a spoofed IP means the sender won't be able to receive any response, but if the request is enough to do the work, then they don't need the response anyway.
 
It's usually better to institute these kinds of controls through sessions and database, since all of that data isn't exposed to the client machine so it can't be directly manipulated, and that data can act as the authorizing element in doing that kind of rate-limiting (e.g. if you want to send a message, you have to have a legitimate account, log into it, and your database-backed session has to indicate that enough time has passed since the last message was sent). That way, it can't be circumvented by switching browsers or even switching to another connection / VPN to get a different IP. Plus, it's simpler to manage since you don't have to track IPs if you don't want to, and you don't have to worry about the gradual transition to IPv6 and how that factors into your security model. Aaaanyway, not trying to be a downer - just kicking around ideas with you...

I believe I was thinking back to my Windows programming days, where I built a control panel in a piece of software, and it got the computer name.
So, with that stated.
I think I will look at what you mentioned in your first comment.
If you've ever done it before and might have a starter on it, that would be helpful.

Hmm... my classic ASP is pretty rusty (I assume you're doing classic ASP given the .asp extension on your URL). I do mostly PHP or .NET these days, so I would suggest opening up another request for help on this in the ASP topic zone.

Or I could throw together the snippet in PHP or C# if that would help at all. I will do a little refresher on ASP in the meantime in case I get to the new question before anybody else does.

And yeah, desktop programming would definitely be able to access the computer name. I think in some cases you could also get it passed into a web page if you were on an IIS intranet where the computer was getting authenticated with NTLM.... I think...

Hey, Gonzo.
I read over what you had written and am interested in doing something like this.
So, this is what I have so far. Let me know what you think.

I have an md5 Hash script I found years ago that I've been using on the user password table, which gives me the same output as what you provided in your example.
So we are using the same thing, which is excellent.

MD5("seeeeecretssss2022-01-22T19:30:019588467325")
(That should produce a hash of 340c3fcdcc0fadcdf67ad53019b489be)

Now, what I've done.
(To be used as a Page Hit Counter. to make sure someone does not slam the page with false hits.
I was using a session, but with the servers set up in a round-robin configuration, it would create a hit every time they refreshed the page, as it would load on a different server. So this is my way of keeping my config the way it is on the servers and ensuring my visitors are not giving false hits against the page. Which at the current moment, would be three hits in the place of 1, as there are three virtual web servers)

#1 Create a Variable to use (getHash = md5(date&"-"&time))
strgetID = PageName
strgetIt = ID
The cookie looks like this. Response.Cookies("SiteName")(strgetID&strgetIt)
(Creates different cookies for the page the visitor is viewing, and different records in the database)
#2 Create a Cookie with the value of getHash, which expires in 30 minutes.
#3 Insert the values of getHash and the IP Address into the database.
#4 I am doing a check for the existing cookie. If it does not, create another cookie. If it does, then do not update the database. The cookie lives for 30 minutes before the cookie monster eats it.

Tested within two different google chrome users on the same computer, and they both create their cookie, and each cookie expires when it should, and then each cookie is created right after. So each one created its own record in the database with the same IP address and its own HASH.

So far, I am pretty happy with the way it turned out, and I will implement it later on for the other forms on the site(s).
The main thing I wanted to do was make a good page hit counter with daily stats, and this little piece of information you provided gave me everything I needed to do the job.

Thank you so very much.
Wayne

Updated the information on section #1
Had to change some things around, to work with ONE cookie instead of multiple cookies.

Nice - glad it helped.

For a page hit counter, you could probably go a little simpler if you wanted. I often use the hash mechanisms mostly to help prevent scripted bot form submissions. With a page hit counter, it's usually less sensitive, so you could just hold a flag in a domain-wide, regular ol' cookie. If the cookie isn't set, set it and increment the counter. That way, when you hit the next server, the user should still present the same cookie it got from before and you wouldn't need to record yet another hit.

Still, a cool use of the hash.

You do have a point there.
I think I was just happy to be messing around with HASH after not touching it for so long.
I mean, it is embedded in all my sites for the passwords, but I never thought about using it for anything else.
I like how I have it set, though; I could do it without it as well.

It is always really cool to do it on your own as well, you know?