Gatekeeper handles CAPTCHAs a little differently from other responses. For example, take this simple policy:


If a user has visited any page 10 times in 24 hours, then deny the next visit.

The way this policy works is straightforward. Every time a user visits, Gatekeeper checks that user's visit history and counts the number of visits in the last 24 hours. If the number of visits is greater than or equal to 10, the visit is denied.

However, this does not work well for CAPTCHAs. Let's take the same policy and change the authorization to "captcha".


If a user has visited any page 10 times in 24 hours, then require a CAPTCHA.

When a user reaches the 10 visit limit, they will be required to complete a CAPTCHA every single visit until their visit count for the past 24 hours drops below 10. Oops, that's not right.

To solve this, Gatekeeper requires one more setting for policies that use the "captcha" authorization: a grace interval. The grace interval is the number of visits before a user will be required to fill out another CAPTCHA, after the first. With a grace interval, our sample policy looks like so:


If a user has visited any page 10 times in 24 hours, then require a CAPTCHA every 30 visits.

With this policy, our theoretical user will be required to complete a CAPTCHA on the 10th visit, 40th visit, 70th visit, and so on, within a 24 hour period.

To better understand the CAPTCHA authorization, consider the following scenarios.

Let's say we have the following policy:


When any visitor visits any page 3 times in 24 hours, then require a CAPTCHA every 50 visits.

The typical CAPTCHA interaction is simple. A user visits 3 times, causing Gatekeeper to prompt the user to solve a CAPTCHA. The user solves the CAPTCHA and continues on their merry way.

Another common situation is for a user to initially ignore or fail a CAPTCHA. In these cases, Gatekeeper will continue to require a CAPTCHA until a successful solution is submitted. Once a CAPTCHA has been solved, the user may continue visiting.

However, not all cases will be so simple. Let's look at a policy that relies on CAPTCHA attempt counts.

Imagine we have another policy in the mix. This policy will be used to ban perpetual CAPTCHA ignorers, similar to the sample used in the automatic banning tutorial.


When any visitor ignores a CAPTCHA (does not submit a solution to the challenge) 5 times in 7 days, deny visit and add IP to blacklisted IP addresses.

We can imagine a robot visiting your site, ignoring 5 CAPTCHAs, and getting its IP address banned.

But what about a human? It's also not hard to imagine a person skipping a few CAPTCHAs by accident, but we don't want to ban their IP address for that. This leads to the next difference in how the CAPTCHAs are is implemented in Gatekeeper.

When reviewing visit history, Gatekeeper typically counts all page visits within the given time period. For example, if we have a policy that triggers after 10 visits in 1 hour, and a user visits 10 times in less than an hour, we can expect this policy to be triggered.

However, unsolved and failed CAPTCHA attempts are only counted since the last solved CAPTCHA or the beginning of the time period, whichever is more recent. To understand why unsolved/failed CAPTCHA attempts are counted differently, consider the following situation.

We still have our two policies from before. The first requires users to complete a CAPTCHA after 3 visits, the second bans users who ignore too many CAPTCHAs. A human visitor triggers the CAPTCHA policy, but then ignores 4 CAPTCHAs in a row. On the fifth CAPTCHA, they notice their mistake and solve the CAPTCHA, allowing them to continue visiting.

50 visits later, the first policy triggers again, challenging this user to solve another CAPTCHA. And they ignore it. What happens now? This is their 5th ignored CAPTCHA, after all.

Thankfully, our careless visitor will be not banned by the CAPTCHA ignorer policy. Since they successfully solved a CAPTCHA after ignoring the first 4, from Gatekeeper's point of view, this user only has 1 ignored CAPTCHA.

Again, policies that check the number of unsolved/failed CAPTCHA attempts only count unsolved/failed attempts in a row. Solving a CAPTCHA resets the count.

For more details on how Gatekeeper handles CAPTCHA responses, visit our page on computing visit authorizations.