[TriLUG] ReCaptcha ( mobile ) issues

[Brian McCullough via TriLUG]

On Wed, Jul 20, 2016 at 06:25:19PM -0400, Triangle Linux Users Group discussion list wrote:
> On 07/20/2016 01:55 PM, Brian McCullough wrote:
> > On Wed, Jul 20, 2016 at 08:38:57AM -0400, Triangle Linux Users Group discussion list wrote:
> >> On 07/20/2016 08:29 AM, Brian McCullough via TriLUG wrote:
> >>> I am working on a web site where we had Captcha installed and
> >>> working for some time, years.  Then Google changed how it was called
> >>> and used, and it broke.
> >>
> >> Forgive me for asking but: do you really get a lot of bots on your
> >> website? Is it maybe an option to get rid of the captcha altogether?
> > 
> > I agree, a perfectly reasonable question, and I could counter with a
> > different option.  I could try and determine which browser was coming in
> > and disable the ReCaptcha just for the browsers that matter.
> 
> You could but I would argue against that in favor of actually fixing the
> issue. If you decide to turn the captcha off for 'this one browser',
> you're actually turning if off for all of them; because the next browser
> where it doesn't work will receive the same treatment, and the next one
> and the next one... and then there's that bastard who spoofs his user
> agent string as well.

Oh, I completely agree.  That would be my last solution.  The direction
that I would actually go here, would be to look at the window width,
since mobile windows are generally narrower than desktop windows, and
use that to determine whether to show the ReCaptcha or not.


> > So, the answer is, to a large extent, yes, we do need ReCaptcha, within
> > a certain range of "need."
> 
> I'm reading your reference to "need" as a case of "The Customer Is
> Always Right(tm)" ;)

Exactly true.



> You mentioned that you "turned the captcha on again after having been
> turned off for a long while" (I'm paraphrasing); what about just blowing
> away the existing code and re-inserting whatever google is recommending
> for you to add these days? Maybe the code that was there did indeed work
> until (over) a year ago but now has changed and isn't what you should be
> using any more because it does indeed not work and isn't supposed to.
> (I'm positing this because I have a hard time accepting that if the code
> is right, it wouldn't work on a major browser - although it's not
> entirely outside of the real of possibilities.)

Oh, yes.  That's exactly what happened.

Yes, the old code was useless, so I went back to the Google "ReCaptcha"
page, their documentation, instructions, sample code and library that
was necessary to make their new version work.

I moved all of this into our code base, replacing all of the existing
Google-related code, inserting it into the places where it had been
previously.

It was during testing that we discovered that this new code, the "No
Captcha Captcha," as I think Google describes it, worked well on any
desktop browser that we tried it on, but it failed miserably on iPhones.

Further mobile testing, and desktop testing today, showed that although
it had worked on Chrome on my Android phone, it failed, like the
iPhones, on other browsers that I installed on my phone.

Today's testing showed that I could make it fail on my desktop by
narrowing the browser to the minimum that Chrome would do. 

Browser height didn't seem to matter.

Actually, testing today showed that browser width less than 460 pixels
would make the ReCaptcha system fail.

Unfortunately, browser width in mobile devices is not particularly wide.


Brian