reCAPTCHA relies on cookies for session tracking, risk scoring, and challenge state management. Missing or incorrectly handled cookies cause solve failures, low scores, and repeated challenges. This guide covers every cookie reCAPTCHA uses, how sessions affect scoring, and practical cookie management for automation.
Cookies reCAPTCHA sets and uses
reCAPTCHA-specific cookies
| Cookie | Domain | Purpose | Lifetime |
|---|---|---|---|
_GRECAPTCHA |
.google.com |
Cross-site reCAPTCHA state | 6 months |
rc::a |
Target site | Risk analysis data (canvas, mouse behavior hash) | Session |
rc::b |
Target site | Risk analysis data (behavioral signals) | Session |
rc::c |
Target site | Risk analysis data (timing) | Session |
rc::d-15# |
Target site | Challenge state persistence | Session |
Google account cookies (affect score)
| Cookie | Domain | Purpose | Score impact |
|---|---|---|---|
SID |
.google.com |
Google session ID | +0.1 to +0.3 |
HSID |
.google.com |
HTTP-only session ID | Part of session trust |
SSID |
.google.com |
Secure session ID | Part of session trust |
NID |
.google.com |
Google preference/session | +0.05 to +0.1 |
1P_JAR |
.google.com |
Google ad personalization | Minor trust signal |
Third-party cookies used by reCAPTCHA
| Cookie | Domain | Purpose |
|---|---|---|
CONSENT |
.google.com |
Cookie consent state |
AEC |
.google.com |
Encrypted ad cookie |
SOCS |
.google.com |
Cookie consent settings |
How cookies affect reCAPTCHA scoring
Fresh session (no cookies)
New browser session, all cookies cleared
↓
reCAPTCHA JavaScript loads
↓
No _GRECAPTCHA → First-time visitor signal
No SID/HSID → No Google account trust
No rc:: cookies → No behavioral history
↓
Starting risk score: lower baseline (0.3-0.5 for v3)
↓
Behavioral analysis must compensate for lack of history
↓
Result: More likely to receive visible challenge (v2)
Lower score (v3)
Returning session (with cookies)
Existing browser session with cookies
↓
reCAPTCHA JavaScript loads
↓
_GRECAPTCHA found → Returning visitor
SID/HSID found → Google account trust
rc:: cookies found → Previous behavioral data
↓
Starting risk score: higher baseline (0.5-0.7 for v3)
↓
Behavioral analysis reinforces cookie-based trust
↓
Result: More likely to auto-pass (v2)
Higher score (v3)
Cookie management in automation
Strategy 1: Persistent cookie jar
Maintain cookies across requests to build session trust:
import requests
import pickle
import os
class CookieManager:
"""Manage cookies for reCAPTCHA sessions."""
def __init__(self, cookie_file="cookies.pkl"):
self.cookie_file = cookie_file
self.session = requests.Session()
self.load_cookies()
def load_cookies(self):
"""Load cookies from disk if they exist."""
if os.path.exists(self.cookie_file):
with open(self.cookie_file, "rb") as f:
self.session.cookies = pickle.load(f)
def save_cookies(self):
"""Save cookies to disk for next session."""
with open(self.cookie_file, "wb") as f:
pickle.dump(self.session.cookies, f)
def visit_page(self, url):
"""Visit a page to collect cookies."""
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
"AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/120.0.0.0 Safari/537.36",
}
response = self.session.get(url, headers=headers, timeout=15)
self.save_cookies()
return response
def get_recaptcha_cookies(self):
"""Get cookies relevant to reCAPTCHA."""
relevant = {}
for cookie in self.session.cookies:
if cookie.name in ["_GRECAPTCHA", "SID", "HSID", "SSID", "NID"]:
relevant[cookie.name] = {
"value": cookie.value[:20] + "...",
"domain": cookie.domain,
"expires": cookie.expires,
}
if cookie.name.startswith("rc::"):
relevant[cookie.name] = {
"value": cookie.value[:20] + "...",
"domain": cookie.domain,
}
return relevant
# Usage
cm = CookieManager("recaptcha_session.pkl")
cm.visit_page("https://example.com/login") # Build cookies
print(cm.get_recaptcha_cookies())
Strategy 2: Cookie forwarding in Selenium
from selenium import webdriver
import json
def setup_cookies(driver, cookie_file="selenium_cookies.json"):
"""Load and apply saved cookies to a Selenium session."""
if not os.path.exists(cookie_file):
return
with open(cookie_file, "r") as f:
cookies = json.load(f)
for cookie in cookies:
# Selenium requires the domain to match current page
try:
driver.add_cookie(cookie)
except Exception:
pass # Skip cookies for different domains
def save_cookies(driver, cookie_file="selenium_cookies.json"):
"""Save current cookies for future sessions."""
cookies = driver.get_cookies()
with open(cookie_file, "w") as f:
json.dump(cookies, f)
# Usage
driver = webdriver.Chrome()
driver.get("https://example.com")
setup_cookies(driver) # Apply saved cookies
driver.refresh() # Reload with cookies
# After CAPTCHA solving...
save_cookies(driver) # Save for next run
Strategy 3: Cookie forwarding in Puppeteer
const puppeteer = require("puppeteer");
const fs = require("fs");
async function manageCookies(page, cookieFile = "cookies.json") {
// Load cookies if file exists
if (fs.existsSync(cookieFile)) {
const cookies = JSON.parse(fs.readFileSync(cookieFile));
await page.setCookie(...cookies);
}
// Save cookies after page interaction
const saveCookies = async () => {
const cookies = await page.cookies();
fs.writeFileSync(cookieFile, JSON.stringify(cookies, null, 2));
};
return { saveCookies };
}
(async () => {
const browser = await puppeteer.launch({ headless: false });
const page = await browser.newPage();
const { saveCookies } = await manageCookies(page);
await page.goto("https://example.com/login");
// ... solve CAPTCHA ...
await saveCookies();
await browser.close();
})();
Session requirements for API-based solving
When using CaptchaAI, the solver generates tokens in its own environment. The target website validates the token without checking your browser's cookies. However, some implementations add extra validation:
Standard reCAPTCHA (most sites)
No cookie forwarding needed. CaptchaAI generates a valid token using only the sitekey and pageurl:
import requests
import time
API_KEY = "YOUR_API_KEY"
# Standard solve — no cookies needed
submit = requests.post("https://ocr.captchaai.com/in.php", data={
"key": API_KEY,
"method": "userrecaptcha",
"googlekey": "SITE_KEY",
"pageurl": "https://example.com/login",
"json": 1,
})
Cookie-dependent implementations
Some high-security sites validate that the session submitting the token matches the session that loaded the reCAPTCHA widget. In these cases:
- Load the page in a real browser to establish cookies
- Extract the sitekey from the loaded page
- Submit to CaptchaAI with sitekey and pageurl
- Inject the returned token into the same browser session
- Submit the form from the browser (maintaining the cookie chain)
from selenium import webdriver
from selenium.webdriver.common.by import By
import requests
import time
API_KEY = "YOUR_API_KEY"
# Step 1: Load page in real browser (establishes cookies)
driver = webdriver.Chrome()
driver.get("https://secure-site.com/login")
# Step 2: Extract sitekey
widget = driver.find_element(By.CSS_SELECTOR, "[data-sitekey]")
sitekey = widget.get_attribute("data-sitekey")
# Step 3: Solve via CaptchaAI
submit = requests.post("https://ocr.captchaai.com/in.php", data={
"key": API_KEY,
"method": "userrecaptcha",
"googlekey": sitekey,
"pageurl": driver.current_url,
"json": 1,
})
task_id = submit.json()["request"]
for _ in range(60):
time.sleep(5)
result = requests.get("https://ocr.captchaai.com/res.php", params={
"key": API_KEY,
"action": "get",
"id": task_id,
"json": 1,
}).json()
if result.get("status") == 1:
token = result["request"]
break
# Step 4: Inject token into browser session (same cookies)
driver.execute_script(
f'document.getElementById("g-recaptcha-response").value = "{token}";'
)
# Step 5: Submit form from same browser session
driver.find_element(By.CSS_SELECTOR, "form").submit()
Third-party cookie blocking impact
Chrome's third-party cookie deprecation
Chrome is phasing out third-party cookies. This affects reCAPTCHA because _GRECAPTCHA is set on .google.com and read from third-party context.
Google's response:
- reCAPTCHA v3 and Enterprise use first-party JavaScript execution
- Cookies are transitioning to
Partitioned(CHIPS) storage rc::cookies are already first-party (set on the target site's domain)
Impact on automation:
- Minimal. API-based solving is unaffected because CaptchaAI generates tokens server-side.
- Browser-based automation may see minor score changes as Google adjusts its cookie strategy.
Cookie troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| reCAPTCHA v2 always shows image challenge | No session cookies, low trust | Persist cookies across requests |
| reCAPTCHA v3 score always < 0.3 | Fresh session every time | Maintain cookie jar |
| Token works once then fails on retry | Session cookie mismatch | Use same session for page load and submit |
| "Cookie/session validation failed" | Site checks cookie chain | Use browser-based token injection |
| reCAPTCHA widget does not load | Third-party cookies blocked | Allow google.com cookies |
Frequently asked questions
Do I need to pass cookies to CaptchaAI?
No. CaptchaAI generates tokens in its own optimized environment and does not need your browser cookies. You only need to provide sitekey and pageurl. The generated token is valid for submission from any client.
Do cookies expire and require refresh?
Yes. _GRECAPTCHA lasts 6 months but rc:: session cookies expire when the browser closes. Google account cookies (SID, HSID) last 2 years but can be invalidated by Google. For automation, persist cookies to disk and refresh them periodically by visiting the target site.
Can I use cookies from one browser in another?
Yes, with limitations. Cookies can be exported (as JSON or Netscape format) and imported into requests, Selenium, or Puppeteer sessions. However, the browser fingerprint will differ, which reCAPTCHA may detect. The cookies provide a trust bonus, but the new browser environment may offset it.
Why does clearing cookies make reCAPTCHA harder?
Clearing cookies removes the _GRECAPTCHA trust cookie and the rc:: behavioral history cookies. reCAPTCHA treats you as a completely new visitor with no history, starting the risk score at a lower baseline. This is why incognito/private browsing often triggers more CAPTCHA challenges.
Summary
reCAPTCHA uses cookies for session tracking (rc:: cookies), cross-site trust (_GRECAPTCHA), and Google account linking (SID, HSID). Fresh sessions with no cookies produce lower scores and harder challenges. For API-based solving with CaptchaAI, cookies are not required — the solver generates valid tokens using only the sitekey and page URL. For cookie-dependent implementations, use a browser-based approach: load the page (establishing cookies), solve via CaptchaAI, inject the token, and submit from the same browser session.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.