ERROR: Stoken Expired

1,935 views
Skip to first unread message

Chris Johnson

unread,
Oct 22, 2015, 1:30:22 PM10/22/15
to reCAPTCHA
I'm using the secure token feature with the v2 API in PHP. There is no spec for this algorithm, but slushie kindly reverse engineered the example java code and made a PHP library from it: https://github.com/slushie/recaptcha-secure-token

I've implemented it in my own cakephp plugin: https://github.com/chrisjohnson/CakePHP-Plugin-ReCaptcha

Anyway, on to the problem at hand. On dev, it works perfectly fine. I generate a session token, present the form, voila.

On prod, using identical code, I get ERROR: Stoken Expired in the captcha widget as soon as the page loads. I have verified that the token isn't being cached, and is generating a unique token on each page load. I verified that my timezone on dev matches the timezone on prod (this shouldn't even matter should it?). I noticed that they are about 30 seconds apart from each other though.

Does anybody have more details on the secure token algorithm and how the timestamp plays into it? Is there an offset I need to be using? Should the timestamp be matching my user's timestamp?

Chris Johnson

unread,
Oct 22, 2015, 1:44:04 PM10/22/15
to reCAPTCHA
Ugh. It looks like I can arbitrarily subtract 30 seconds from my timestamp and it shows up now. That is an absolutely insane approach though. Is there a saner way to accomplish this without having to have perfectly matched server times?

C.

unread,
Jan 10, 2016, 7:51:35 PM1/10/16
to reCAPTCHA
I'm also having thing issue where I have to fiddle with my system time to get this working. 

Chris Johnson

unread,
Jan 11, 2016, 1:27:45 AM1/11/16
to reca...@googlegroups.com
I solved this in my library by also including an NTP client and requesting the current NTP time for each request. It sucks but apparently my server's clock runs out of sync because I do run an ntp server and it's not enough to keep this working without requesting NTP time with my lib

--
You received this message because you are subscribed to a topic in the Google Groups "reCAPTCHA" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/recaptcha/bkh8oTqInIg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to recaptcha+...@googlegroups.com.
To post to this group, send email to reca...@googlegroups.com.
 Visit this group at https://groups.google.com/group/recaptcha.

For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages