The same html form pass validation if form action url is same, but fail if is another.
I test that on 3 simple forms :
<form action="" class="reCaptCha" method="post">
<input type="text" name="address" id="address" value="Empty" placeholder=" " required>
<input type="hidden" name="action" value="Empty">
<button type="submit">{{SEARCH_RELAIS}}</button>
</form>
<form action="samepage.php" class="reCaptCha" method="post">
<input type="text" name="address" id="address" value="Same" placeholder=" " required>
<input type="hidden" name="action" value="Same">
<button type="submit">{{SEARCH_RELAIS}}</button>
</form>
<form action="anotherpage.php" class="reCaptCha" method="post">
<input type="text" name="address" id="address" value="Another" placeholder=" " required>
<input type="hidden" name="action" value="Another">
<button type="submit">{{SEARCH_RELAIS}}</button>
</form>
I add the token in JS. I capture the submit like that :
var form = $(this),
action = form.find("[name='action']").val();
grecaptcha.ready(function() {
grecaptcha.execute('MYKEY', {action: action}).then(function(token) {
form.prepend('<input type="hidden" name="tokenReCaptcha" value="' + token + '">');
form.submit();
});
});
Submit 1er and 2e form is ok, but 3e fail. samepage.php and anotherpage.php have exactly the same test code :
if (isset($_REQUEST['tokenReCaptcha']))
{
$tokenReCaptcha = $_REQUEST['tokenReCaptcha'];
$recaptcha = new \ReCaptcha\ReCaptcha(RECAPTCHA_SECRET);
$resp = $recaptcha->setExpectedAction($_REQUEST['action'])->setScoreThreshold(0.5)->verify($tokenReCaptcha, $_SERVER['REMOTE_ADDR']);
var_dumpt($resp,$_REQUEST['action'],$tokenReCaptcha, $_SERVER['REMOTE_ADDR']);exit();
}
Exemple on success dump :
object(ReCaptcha\Response)#2264 (7) {
["success":"ReCaptcha\Response":private]=>
bool(true)
["errorCodes":"ReCaptcha\Response":private]=>
array(0) {
}
["hostname":"ReCaptcha\Response":private]=>
string(18) "dev.perlesandco.fr"
["challengeTs":"ReCaptcha\Response":private]=>
string(20) "2023-05-05T08:27:53Z"
["apkPackageName":"ReCaptcha\Response":private]=>
string(0) ""
["score":"ReCaptcha\Response":private]=>
float(0.90000000000000002)
["action":"ReCaptcha\Response":private]=>
string(5) "Empty"
}
string(5) "Empty"
string(569) "03AL8dmw_60rSpF0jXH4CVyrSqLDCdYV290HRjk4HFNwPX5uazhAm1qhEp6v9BboYlV9mFpMfdr1vOYfZD7u0QFU0lXuPMqlDTDiEPdkaVkl10A2Kit_vfpgo24FVfB4cW9HZpa9yMMKIlLB-s2EMpUr0ydJbfyKpURrhQWM9v5bdUQArvTuavOLQbQA6KhWCiJuOTZE4t8KF5XA2IMWdIW1YmIILmPB2yolj6qn3fyt8jj7GiXVs4_Pgn6-eX7HHcfdzJVaGQ3aLkJuO1zhd4RfamRIZpr8Am0SRKtQvh7zMpZ_lHPJefvqdWTbIpqNvMZmjeBVwndaE-oLHbA0uwtUZY98VWEYy9GzqYSds9l0yyozelj-6PbuqlnksXFSunKr8plX_hQNVSKWKjz3XTEKBjf3Wu8xL0JVOlUtBmQTvY3sy0paF6LrZC8g1Gg3qRZwXW0yjqtrtQ0tI9bXXrUh55AO0hXj5mJaWuigUM8LK2ebutdWLtQ-rjfqybsEotiaYejT7kBfP1RAbR7cZstfZx150qrWVN1TuAIuzHWO5FY1QVHp-ygFQ"
And Fail dump :
object(ReCaptcha\Response)#2265 (7) {
["success":"ReCaptcha\Response":private]=>
bool(false)
["errorCodes":"ReCaptcha\Response":private]=>
array(3) {
[0]=>
string(20) "timeout-or-duplicate"
[1]=>
string(15) "action-mismatch"
[2]=>
string(23) "score-threshold-not-met"
}
["hostname":"ReCaptcha\Response":private]=>
string(0) ""
["challengeTs":"ReCaptcha\Response":private]=>
string(0) ""
["apkPackageName":"ReCaptcha\Response":private]=>
string(0) ""
["score":"ReCaptcha\Response":private]=>
NULL
["action":"ReCaptcha\Response":private]=>
string(0) ""
}
string(7) "Another"
string(569) "03AL8dmw-yBB-c6sdHPeVORv1_O50CXQLiLNcYjdIIqZV4ythI4APaG3R-S4AXDYpdgncKQ3yuZsrvkjNevRvzAmXJHV8dyu7Nbwd_gr7V6uJE5AMMwY4sEWZ5iOytVKaHAFbNVuPdH5thExejvSedtvm9feA_EySgbcOeNw3xGmRtgp28VPjLzcDUm3HQmSV04wbsv74b8497zs9Zpm4CCMs_ToNwNZIFLBrent98qdXUnTqZwC6R9ajlSIcUKVrqG4L2xXO3V5ZaQndSo-f4bTF_PmKHKkIClTw85dkvoZqIt_tERZbGX3p0zyHdu-5nNrn3FKTyxBP3AMNf83Mzhb7mwTF_dBjqKyuNMtCAvj85tHz9pTJ0RplxofckN0m3O2aLkJTsTmVRo9nMMJBQ55igp-kOVqG_agexG3AqfEg9TbBiSdZTFhk4PaxFJ0YlgAJa1ju3SoZlfBupmkbAUJ-3bnLtS44LI6lnH4rBJGn1_XcbRnDQ_0QlZSnmLBDn8WnYiRs-v7SNJzf84ZiBi_Tm5GenNWtAgLyR3hZpgQ7senSLCgGVtEQ"
I don't understand why ?