Variant of existing solution but extending it with the display of a countdown timer,
so the user get informed of the time limit of the actual InvisibleReCaptcha-Token.

Variant of existing solution but extending it with the display of a countdown timer,
so the user get informed of the time limit of the actual InvisibleReCaptcha-Token.

I've never seen a website doing that for any kind of Google Captcha.

Variant of existing solution but extending it with the display of a countdown timer,
so the user get informed of the time limit of the actual InvisibleReCaptcha-Token.

I've never seen a website doing that for any kind of Google Captcha.

Not for Google Captcha, but for example on online banking sites (germany), which have a max session-timout of 5-10 min,
because of security concerns, that the session is terminated on idle.

Also there is a countdown timer / visualisation in Google Authenticator to inform the user about the time left the presented code is valid.

The drawback of your second solution, to request every 2 min a new token, would may result in a runout of free API-requests,
if someone decide to DOS the registering process by spawning lots of sessions and force the plugin to request tokens for every opened registering session every two minutes...

Not for Google Captcha, but for example on online banking sites (germany), which have a max session-timout of 5-10 min,
because of security concerns, that the session is terminated on idle.

Also there is a countdown timer / visualisation in Google Authenticator to inform the user about the time left the presented code is valid.

A Captcha is not an authenticator and not a replacement for an authenticator and shall not be abused as an authenticator, so you compare apples with pears.

Richard Fath

A Captcha is not an authenticator and not a replacement for an
authenticator and shall not be abused as an authenticator, so you compare
apples with pears.

Where did I say that actually?
The problem is that the token for invRecaptcha has a lifespan of 2 minutes.
The user isn't aware of that and may spend more time on fill out the form.

One suggestion is from me a visible countdown to indicate how much time is
left.
A minimal solution is a simple information (static text) and suppressing
the message about an invalid token.
When the user filled out the form and send it, the process silently renew
the token if possible and proceed on.

But permanently requesting a new token every 2 min untill the form may be
send, is a crude solution, with previous mentioned, possible side-effects.

Where did I say that actually?

You have mentioned Google Authenticator and online banking sites as examples for a solution which might make sense for an authenticator but doesn't make sense for a Captcha,

The problem is that the token for invRecaptcha has a lifespan of 2 minutes.

I did understand the problem, no need to explain again.

I only don't think it should be handled in Joomla. I suppose there is no single website in the world which does such a circumstance for handling the timeout of the Google captcha token, so why should Joomla start with it?

But that's my personal opinion, others may have a different view.

Richard Fath

Where did I say that actually?

You have mentioned Google Authenticator and online banking sites as
examples for a solution which might make sense for an authenticator but
doesn't make sense for a Captcha.

I may have problems with not being perfect in English, but if you would
read again, I gave an two examples of situations, were countdown timer are
used for signaling that a user have a time limit, I did not referred to the
origin function of an 2FA authenticator or to check your bank account.

That a visual countdown timer is not used, doesn't mean it can neither that
it should not.

We are talking here about a part of Invisible ReCaptcha, not any other
Captcha which function is different, can you please stay on-topic and use
the term?

I gave an two examples of situations, were countdown timer are used for signaling that a user have a time limit, I did not referred to the origin function of an 2FA authenticator or to check your bank account.

But these were the examples given, 2FA authenticator and bank account.

Anyway, maybe it's just me not seing the need for a fix here, and as every human being I might be wrong.

Let's wait for other opinions.

Invisible reCaptcha and V3 reCaptcha it is two totally different things.

The solution is to update reCaptcha to V3 or merge this #28798

Fedik,
I'm a bit confused here, the Issue is about "Invisible reCaptcha" not reCaptcha.
So "updating" make no sense, when you actually mean:

Switching to a different product, either "reCaptcha v3" or the product "hCaptcha" in the pr #26798 you mention.

That raises questions:
a) What about users, who want to or do use "Invisible reCaptcha"? User has to fix this issue by himself?
b) Or i do get you wrong and there is a "Invisible reCaptcha v3" and the version Joomla use is simply outdated?

Edit: I see, "Invisible reCaptcha" is based on reCaptcha v2, right? (by the look on the menu items at https://developers.google.com/recaptcha/docs/invisible)
So

the Issue is about "Invisible reCaptcha" not reCaptcha.

The issue about the timeout, with link to reCaptcha v3, that is incorrect.

btw, "reCaptcha v3" technically also "invisible", but it has a bit different api.

What about users, who want to or do use "Invisible reCaptcha"

User have to move to new version, at some point V2 will be dropped as was with V1

Thanks for clarifying!

Closing for stated reasons/solutions.