Have you searched for an answer? Yes
Describe the issue you are having:
When a CAPTCHA challenge or Managed Challenge is configured, and some successfully passes the challenge, there should be a way to reset all challenges, requiring those who had previously solved he challenge (and who match the WAF rule) to do so again. How can this be accomplished?
To reset WAF challenges, you can modify the expiration of the challenge cookie. Go to your Cloudflare Dashboard > Security > Settings, and edit “Challenge Passage”. This is the duration (in minutes) that a successful challenge response is valid. By reducing this value, you’ll require users to complete the challenge more frequently.
Thanks, however it appears that this doesn’t apply to WAF: The help screen says:
" Why doesn’t the TTL apply to the WAF?
Challenge passage does not apply to challenges issued by the WAF (Web Application Firewall) as these challenges are not based on the visitor’s IP address reputation."
Thoughts?
This help text is probably reminiscent of the “previous” WAF version, where WAF rules did not include Custom Rules (previously Firewall Rules).
The documentation says elsewhere that the limitation applies to “WAF Managed Rules” as well as Rate Limiting.
That’s too bad that you can’t apply the challenge expiration on WAF.
Any other ideas?
This has been discussed here, and it seemed at the time no option was available other than disabling the rule altogether (or possibly changing its action to either Block or Log):
Thank you. I was wondering, if you do quickly change a WAF rule to ‘Block’, and then back to ‘Challenge’, does this accomplish the same thing (force all previously passed challenge users to solve the challenge again) ?
lol, I was wondering the same, but haven’t tested. You could try to find a WAF rule that can be easily triggered, set it to Managed Challenge, break it on a test URL and see what happens.
I tested this, and unfortunately, it does NOT work.
Once you satisfy the challenge, switching to Block, and then back to challenge does NOT require you to re-authenticate. This is really a shame.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.