Gatekeeper tends to handle CAPTCHAs a little differently from other policies. For example, take this simple policy:

Policy

When any visitor visits any page 10 times in 24 hours, then deny the visit.

The way this policy works is straightforward. Every time a user visits, Gatekeeper checks that user's visit history and counts the number of visits in the last 24 hours. If the number of visits is greater than or equal to 10, the visit is denied.

However, this does not work well for CAPTCHAs. Let's take the same policy and change the authorization to "captcha".

Policy

When any visitor visits any page 10 times in 24 hours, then require a CAPTCHA.

By default, when a user reaches the 10 visit limit, they would be required to complete a CAPTCHA every single visit for the next 24 hours. Oops, that's not right.

To solve this, Gatekeeper requires one more setting for policies that use the "captcha" authorization: a grace interval. The grace interval is the number of visits before a user will be required to fill out another CAPTCHA, after the first. With a grace interval, our sample policy looks like so:

Policy

When any visitor visits any page 10 times in 24 hours, then require a CAPTCHA every 30 visits.

With this policy, our theoretical use will be required to complete a CAPTCHA on the 10th visit, 40th visit, 70th visit, and so on.


To better understand the CAPTCHA authorization, consider the following scenarios.

Let's say we have the following policy:

Policy

When any visitor visits any page 3 times in 24 hours, then require a CAPTCHA every 50 visits.

The typical CAPTCHA interaction is simple. A user visits 3 times, causing Gatekeeper to prompt the user to solve a CAPTCHA. The user solves the CAPTCHA and continues on their merry way.

Another common situation is for a user to initially ignore or fail a CAPTCHA. In these cases, Gatekeeper will continue to require a CAPTCHA until a successful solution is submitted. Once solved, the user may continue visiting as normal.


However, not all cases will be so simple. Let's look at a policy that relies on CAPTCHA attempt counts.

Imagine we have another policy in the mix. This policy will be used to ban perpetual CAPTCHA ignorers, similar to the sample used in the automatic banning tutorial.

Policy

When any visitor ignores a CAPTCHA (does not submit a solution to the challenge) 5 times in 7 days, deny visit and add IP to blacklisted IP addresses permanently.

We can imagine a robot visiting your site, ignoring 5 CAPTCHAs, and getting its IP address banned.

But what about a human? It's also not hard to imagine a person skipping a few CAPTCHAs on accident, but we don't want to ban their IP address for that. This leads to the next difference in how the CAPTCHAs are is implemented in Gatekeeper.

When reviewing visit history, Gatekeeper typically counts all page visits/CAPTCHA attempts within the given time period. For example, if we have a policy that triggers after 10 visits in 1 hour, and a user visits 10 times in less than an hour, we can expect this policy to be triggered.

However, unsolved and failed CAPTCHA attempts are only counted since the last solved CAPTCHA or the beginning of the time period, whichever is more recent. To understand why unsolved/failed CAPTCHA attempts are counted differently, consider the following situation.

We still have our two policies from before. The first requires users to complete a CAPTCHA after 3 visits, the second bans users who ignore too many CAPTCHAs. A human visitor triggers the CAPTCHA policy, but then ignores 4 CAPTCHAs in a row. On the fifth CAPTCHA, they notice their mistake and solve the CAPTCHA, allowing them to continue on visiting as normal.

50 visits later, the first policy triggers again, challenging this user to solve another CAPTCHA. And they ignore it. What happens now? This is their 5th ignored CAPTCHA, after all.

Thankfully, our careless visitor will be not banned by the CAPTCHA ignorer policy. Since they successfully solved a CAPTCHA after ignoring the first 4, from Gatekeeper's point of view, this user only has 1 ignored CAPTCHA.

Again, policies that check the number of unsolved/failed CAPTCHA attempts only count unsolved/failed attempts in a row. Solving a CAPTCHA resets the count.

For more details on how Gatekeeper handles CAPTCHA responses, visit our page on computing visit authorizations.