Based on https://support.cloudflare.com/hc/en-us/articles/200170136
it seems that Challenge Passage (cookie-based duration until next challenge) does not apply to Web Application Firewall. Is this only for “Web Application Firewall” or also for “Cloudflare Managed Ruleset” and “Package: OWASP ModSecurity Core Rule Set” ?
And is there a way to bypass the WAF for users that have correctly answered the captcha recently?
One of our users had this to say about his experience posting on our forum:
Sometimes I respond to new post notification on a different device with a browser VPN, and am asked for CAPTCHA verification. Sometimes it behaves more as a “Kafka verification”, with every use of the [Preview] button resulting in a new verification request, and the post disappearing into the ether with the use of the [Submit] button. Is this a problem with my browser (Opera Version:81.0.4196.60), with the CAPTCHA service, or with ANN’s setup?
This page https://support.cloudflare.com/hc/en-us/articles/200172016
has a section about troubleshooting WAF false positive, but it’s of limited usefulness since the Activity Log does not even have a way to find false positive events (requests where a challenge was displayed and sucessfully answered). So the only option left is to disable the WAF entirely… :-/
Based on this I would like to request that
- WAF support Challenge Passage.
- Activity Log can filter by “passed challenge” or “failed challenge”