Visit authorization

Algorithm

Visit authorization uses your rule chain to determine the result. For each policy in the chain, the following steps are taken:

Visitor check

Policy visitor groups are checked for a trigger. A visitor group is triggered when at least one of its visitors matches the visit.
For example, if visitor group blacklisted IPs contains visitor 1.2.3.4, and the visit IP address is 1.2.3.4, blacklisted IPs would be triggered.
If no trigger is found, the policy is skipped.

If available, visit user agent is also checked to determine if the visitor self-identifies as a bot or a human.
Note: by default, policies apply to both bots and humans.
If visitor self-identification does not match the policy's expectation, the policy is skipped.

Action check

Policy page groups are checked for a trigger. A page group is triggered when at least one page matches the visit URL.
For example, if page group internal contains page /i/.+, and the visit URL is https://example.com/i/console, internal would be triggered.
Note: this check is not performed for policies that apply to CAPTCHA attempts.
If no trigger is found, the policy is skipped.

Frequency check

If the policy applies to CAPTCHA attempts, the number of attempts with the policy's expected CAPTCHA status is queried. Only attempts within the policy time interval are counted.
For example, if the policy is set to trigger after 10 FAILED CAPTCHAs in 5 days, the number of CAPTCHA attempts with status FAILED within that past 5 days is queried.
Note: FAILED and UNSOLVED attempts are counted starting from the last SOLVED CAPTCHA. This allows users to effectively "reset" their count by proving that they are human at least once.
If the number of attempts does not meet the policy number of times threshold, the policy is skipped.

Otherwise, the number of visits to pages matched by the policy page groups is queried. Only visits within the policy time interval are counted.
For example, if the policy is set to trigger after 30 visits in 5 days and has one page group, internal, the number of visits to pages that match internal within the past 5 days is queried.
If the number of visits does not meet the policy number of times threshold, the policy is skipped.

If the policy has the CAPTCHA authorization, a couple more checks are made.
First, the number of UNSOLVED/FAILED CAPTCHA attempts is queried. If there is at least one outstanding UNSOLVED or FAILED attempt, the policy is immediately triggered. This is to prevent a user from simply ignoring CAPTCHAs and reloading the page.
Second, the number of visits is compared against the policy grace period. After the first trigger, CAPTCHA authorization policies will wait a certain number of visits before allowing themselves to be retriggered.
For example, a policy may trigger after 30 visits in 5 days, and then every 100 visits. This policy will trigger on the 30th visit, and again on the 130th visit.
If the number of visits is within the policy grace period, the policy is skipped.