Has anyone managed to combine recaptcha challenge key and recaptcha session key within the same cloud armor, and make both types work on the same page.
I can only associate one recaptcha entreprise key with cloud armor. Scenario:
- The user enters the login page
- cloud armor redirects him to the recaptcha challenge page
- if he succeeds he enters the information (email and password)
- the session token will be generated when sending form and it will be stored in cookies
- cloud armor will validate the token afterwards.
Same thing when I want to combine SESSION key and ACTION key. I associated the "action type key" with a rule, and I associated a "session type key" with another cloud armor rule. I passed the action token as a header and I checked the validity of the token with the condition "token.recaptcha_action.valid" in the cloud armor rule, => the token is always invalid. while when I test it with "the createAssessment code" => token is valid.
It seems that it is not possible to combine both recaptcha challenge key and session key within the same Cloud Armor policy to achieve the scenario .
However, you can try this approach to achieve a similar level of protection and maintain a smooth user experience.You can try multi-step verification with separate policies. Use two separate Cloud Armor policies with
The first policy with a recaptcha challenge key that would trigger upon initial access to the initial login page. This would ensure bots/spam are filtered before reaching the login form.
The second policy with a recaptcha session key would trigger after form submission when the session token is generated. This would verify user legitimacy before granting access to sensitive information.
This approach may require careful configuration to ensure a seamless user experience between both policies