Browse DevX
Sign up for e-mail newsletters from DevX


How to Spoof-proof Your Logins : Page 5

Who's accessing your Web applications? If you think only humans are registering and logging in, you may be surprised. Learn how to teach your application to differentiate between humans and machines and reject automated registration and login requests.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Drawing the Captcha Image
You still need to draw the string as an image. The .NET framework simplifies the drawing process into just a few fairly intuitive lines of code. Listing 1 shows the drawing code, which you can find in the DrawRandomImage.aspx.vb file in the downloadable code.

The code in Listing 1 takes the string parameter (ds) and then draws it in a bold typeface onto a graphic image. Finally, it adds some random lines into the image to throw off OCR scanning software. Finally, the page sets the ContentType to "image/jpeg" and saves the image to the Response.OutputStream for rendering.

To link that all up, take a look at the following Page_Load event code:

Private Sub Page_Load(ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles MyBase.Load ' Conjure up some Random Characters in a String Dim b As RandomStringGenerator Dim s As String s = b.GenerateRandomString(5) ' Hash the Random String together with a SecretKey ' (Machine Authentication Check) to prevent MITM spoof Dim hMACIString As String = b.HashMACMe(s) ' Store the results in a HTTPCookie Dim c As HttpCookie = New HttpCookie("hMACIString") c.Value = hMACIString Dim dtNow As DateTime = DateTime.Now ' Set expiration of 365 days - Change this to your requirements Dim tsYear As New TimeSpan(365, 0, 0, 0) c.Expires = dtNow.Add(tsYear) Response.Cookies.Add(c) ' Call the above DrawStringImage routine Call DrawStringImage(s) End Sub

Verifying the Data
Now all that's left is verifying the data, which the page does in the Submit button event handler:

Private Sub Button1_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles Button1.Click Dim hMACIString As String Try Dim c As HttpCookie = Request.Cookies("hMACIString") hMACIString = c.Value Catch End Try Dim b As RandomStringGenerator ' Send to next page in a real application If (hMACIString = b.HashMACMe(AccessKey.Text)) Then lblResult.Text = "Real Person"< /EM > Else lblResult.Text = "SPOOFED" End If End Sub

The AccessKey Control contains the string data that the user enters. The client sends it back to the server, which append the secret MAC key, hashes the string, and then compares it against the cookie value written earlier in the DrawRandomImage.aspx page. Figure 2 shows the completed page in a browser.

Figure 2. The Completed Captcha: Users read the text of the obfuscated image, enter that into the text field, and click submit.
As you can see from the code snippets above, it's fairly simple to implement a captcha-like technology in .NET. You do have to be careful not to over-do the obfuscation of the random images. Over-engineering them making reading the characters a challenge and a chore for legitimate users and will definitely be a turn-off.

Please note that I only recommend this as an added layer of security on top of other security features that your application implements. All the security layers must work together to form part of application authentication and security.

To extend this idea, you might want to expose this captcha feature as a Web service and implement it as part of your organization's service-oriented architecture so that your other login pages can use the feature as well. To do that, you may want to try WS-Attachments and DIME to stream the image binaries across the wire. Be careful though, because WS-Attachments and DIME are not supported in Indigo, Microsoft's upcoming Web services framework.

William Tay is an Enterprise Software Solutions Architect with NCS. Pte. Ltd. His interests include object-oriented programming principles, analysis and design, and XML Web Services. He has done research, development, and implementation work in applying Web Services in Service-Oriented-Architectures. He is a Microsoft Regional Director and is active in evangelizing Microsoft .NET Technologies. He is an XML Web Services user group lead and moderator for one of INETAs member sites: http://www.sgdotnet.org. NCS. Pte. Ltd is a Microsoft (Singapore) Gold Partner and is one of the premier Systems Integrator and Builder in Asia Pacific.
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date