For most situations we want the users, not the computers to be the audience of our websites. Therefore, there are situations when we must protect ourselves from automated bots that obtain information from our website, eat the bandwidth or just consume our services (create new email accounts, send text messages to cell phones and so on). The tool for this job is called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). If you’re interested how it came into being go to CAPTCHA on Wikipedia.
Below is a list of three CAPTCHA solutions that vary from easiest to implement and of course least secure to the safest one (which also involves most work).
Hidden input
The simplest of the techniques is to embed in the page a HTML input element.
<input name="address2" type="text" runat="server" />
Next, we make it invisible on a page by applying CSS style (just one of the possibilities). On the submit, we check if the value has been filled. If it has, then that means a bot was going through the page, not the user (as user could not see the textbox). This solution is very easy to implement and should work if the bot is completely automated (there was no recording of what type of fields should be filled in).
NoBot from AJAX Control Toolkit
One security level higher is the NoBot from ASP.NET AJAX. It is again, a solution that does not need user interaction; therefore it is not very reliable. Also, as it is part of ASP.NET AJAX it will only work in AJAX enabled environment. On the plus side, the user is not bugged by filling out some extra fields.
NoBot employs several techniques to prevent bot attacks:
- Forcing the client's browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved)
- Enforcing a configurable delay between when a form is requested and when it can be posted back. (Ex: a human is unlikely to complete a form in less than two seconds)
- Enforcing a configurable limit to the number of acceptable requests per IP address per unit of time. (Ex: a human is unlikely to submit the same form more than five times in one minute)
If you want to see a live demo, go to NoBot Sample from Ajax Control Toolkit
CAPTCHA Image Control
Safest on the list is CAPTCHA Image Control. Since everyone has used these CAPTCHAs as user it’s best to just show how this solution looks.
The image displayed is distorted not to allow machine to find out the text on a picture. There are a lot commercial solutions that offer these controls for ASP.NET, however there is also a bunch of them free. I particularly like the one written by Jeff Atwood, author of the brilliant www.codinghorror.com blog. He published this control on CodeProject, it is located here. Go check it out!
Note:
Last solution is not suitable for blind or visually impaired users. Therefore, sometimes you can find sound CAPTCHAs for these scenarios.