When displaying the client-side HTML, reCAPTCHA is dropping 3rd-party tracking cookies from Google which may not be acceptable for some cases (for example, on .gov sites). Digging around a little, I've found references to a nocookie string that can be passed when invoking the reCAPTCHA HTML like this:

<script type="text/javascript" src="http://api.recaptcha.net/challenge?k=<my public key>&nocookie=1"> 

I haven't found anything official on this in the reCAPTCHA documentation but this was working for me during testing (i.e. no cookies were dropped by reCAPTCHA using this url parameter).

For the reCAPTCHA Drupal module, this could be added as a simple admin setting (checkbox) which would then add the 'nocookie=1' string to the public key before the module makes the call to the reCAPTCHA php library.

if ($recaptcha_nocookies) {
    $recaptcha_public_key .= "&nocookie=1";

$html = recaptcha_get_html($recaptcha_public_key,  ...

I've got this working in my dev environment and can roll up a patch for testing but wanted to see if a.) this was of any broader interest for this module; or b.) if anyone had any more experience / information on how reCAPTCHA is dropping cookies and what the best way of disabling them would be. I suspect the cookies also play a role in securing the form against repeated attacks but for some instances, the increase in user privacy may trump spam concerns.

Members fund testing for the Drupal project. Drupal Association Learn more


schnippy’s picture

Attaching patch for above comment for testing..

RobLoach’s picture

Status: Active » Fixed
1.52 KB

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.