Robot Detection in Sitecore 9.3 Forms

On November 28th, Sitecore released version 9.3 of its Experience Platform. This release contains a substantial update to Sitecore Forms. A quick overview of the new goodies:

  • Publish option from the forms dashboard
  • FileUpload control
  • Email confirmation control
  • Redirect to Url submit action
  • Robot Detection

Robot Detection

Let’s zoom in a bit on the robot detection. The detection is enabled by default on your form. You can disable it on the form settings tab in the advanced section.

Robot detection works the same way as bots are detected to keep xDB database clean and free of bot data.

Submit Actions

The robot detection works in collaboration with the submit actions of Sitecore Forms. On the submit actions, there is no an additional checkbox “Enable Robot Submission”. When this checkbox is enabled the action will always be executed, even if your session is marked as a robot.

If you leave the checkbox unchecked, then the action won’t get executed if the session is detected is a robot. In this case, the form will just continue to work, the user or bot will not get a message that his session was marked as a robot and that the action was not executed. So no error-messages for the robots, the code of the submit action will just not be executed.

Am I a robot?

In order to detect whether you are a robot, the mechanism uses among other things javascript mouse-cursor detection. And there in also lies its vulnarability. If the user uses an add-blocker or social-tracking blocker, the blocker can block this script. And although you are a real user, in the eyes of Sitecore forms you will be marked as a bot and some of the submit action won’t get executed.

As a user, you will be unaware that some actions will not have been executed. So the user might think that they for example entered a contest. The user got a confirmation page of there entry but his data was not stored and actually didn’t enter the contest.


Robot detection is a cool new feature in Sitecore Forms, but the danger that some real sessions might be detected as a bot, and that they are not notified of that is for me no option.

It would be nice to have an option of telling the end user that they should disable tracking blockers. Maybe something for the forms-extension module.

Leave a Reply

Your email address will not be published. Required fields are marked *