Have you searched for an answer? Yes
Describe the issue you are having:
When a CAPTCHA challenge or Managed Challenge is configured, and some successfully passes the challenge, there should be a way to reset all challenges, requiring those who had previously solved he challenge (and who match the WAF rule) to do so again. How can this be accomplished?
To reset WAF challenges, you can modify the expiration of the challenge cookie. Go to your Cloudflare Dashboard > Security > Settings, and edit âChallenge Passageâ. This is the duration (in minutes) that a successful challenge response is valid. By reducing this value, youâll require users to complete the challenge more frequently.
Thanks, however it appears that this doesnât apply to WAF: The help screen says:
" Why doesnât the TTL apply to the WAF?
Challenge passage does not apply to challenges issued by the WAF (Web Application Firewall) as these challenges are not based on the visitorâs IP address reputation."
Thoughts?
This help text is probably reminiscent of the âpreviousâ WAF version, where WAF rules did not include Custom Rules (previously Firewall Rules).
The documentation says elsewhere that the limitation applies to âWAF Managed Rulesâ as well as Rate Limiting.
Thatâs too bad that you canât apply the challenge expiration on WAF.
Any other ideas?
This has been discussed here, and it seemed at the time no option was available other than disabling the rule altogether (or possibly changing its action to either Block or Log):
Thank you. I was wondering, if you do quickly change a WAF rule to âBlockâ, and then back to âChallengeâ, does this accomplish the same thing (force all previously passed challenge users to solve the challenge again) ?
lol, I was wondering the same, but havenât tested. You could try to find a WAF rule that can be easily triggered, set it to Managed Challenge, break it on a test URL and see what happens.
I tested this, and unfortunately, it does NOT work.
Once you satisfy the challenge, switching to Block, and then back to challenge does NOT require you to re-authenticate. This is really a shame.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.