I figured out what the problem was. For users who are viewing the
captcha who do not have JavaScript enabled, which it looks like a lot
of mobile devices, they are not doing the verification process
correctly.
How the ColdFusion api works without JavaScript is that the user is
supposed to type in the two words into the recaptcha text box and
click the "I am human." button. After they are verified, they get a
long verification key that looks something like this:
"03AHJ_VuuRXsEkIf6pdyWE6nuI9PGZr2wNnuWI76_y1k3598OkrzehRmfSww0b5z3ZFFocKDoA9IPdfPdhwy1nMmli48pM..."
The user is supposed to copy that key and paste it into a second box
and then hit the submit button on the actual form.
What I am seeing is that 5% of the time, users are not submitting the
entire verification code, probably because it is hard to copy and
paste from a mobile device. About 45% of the time, they don't copy and
paste the verification string, they just submit the form with a blank
verification string field. About 45% of the time, they are just
retyping the two recaptcha words in the verification string box. And,
about 5% of the time, they are entering the regular form data in the
verification box.
So, in summary, if the user isn't submitting the whole verification
string correctly, the ColdFusion API throws a "invalid-request-cookie"
error. I'm going to build another help page for non-javascript users
who need help with this form.
-- James