Imperva Cyber Community

Multiple Advanced Bot Protection domains and clearing captcha

  • 1.  Multiple Advanced Bot Protection domains and clearing captcha

    Imperva Employee
    Posted 12-02-2020 14:43
    It is important to understand how your implementation of the Advanced Bot Protection can impact user workflow. For this brief post, I will go over how distinct domain can interact with each other.


    • Within Website Group Foo, I have the domain and it uses encryption key ABC.
    • Within Website Group Bar, I have the domain and it also is configured to use encryption key ABC.
    • Both domains have the reese84 cookie scoped to
    • Both website groups use the same policy which will captcha bad user agents, but allow for a cleared captcha to navigate the domain.
    User workflow.

    As a user, I start on and have a bad user-agent so I receive a captcha. I clear the captcha successfully at I then navigate to with the same bad user-agent.

    What happens next?

    The expected behavior is that I will not receive a captcha when visiting This is because the state of the captcha solve is keyed on the token as part of the reese84 cookie. If the encryption keys were different for the domains, then I should receive a captcha when going through the same workflow.

    Brooks Cunningham