Drawing the Captcha Image
You still need to draw the string as an image. The .NET framework simplifies the drawing process into just a few fairly intuitive lines of code. Listing 1
shows the drawing code, which you can find in the DrawRandomImage.aspx.vb
file in the downloadable code
The code in Listing 1
takes the string parameter (ds
) and then draws it in a bold typeface onto a graphic image. Finally, it adds some random lines into the image to throw off OCR scanning software. Finally, the page sets the ContentType to "image/jpeg"
and saves the image to the Response.OutputStream
To link that all up, take a look at the following Page_Load
Verifying the Data
Private Sub Page_Load(ByVal sender As System.Object, _
ByVal e As System.EventArgs) Handles MyBase.Load
' Conjure up some Random Characters in a String
Dim b As RandomStringGenerator
Dim s As String
s = b.GenerateRandomString(5)
' Hash the Random String together with a SecretKey
' (Machine Authentication Check) to prevent MITM spoof
Dim hMACIString As String = b.HashMACMe(s)
' Store the results in a HTTPCookie
Dim c As HttpCookie = New HttpCookie("hMACIString")
c.Value = hMACIString
Dim dtNow As DateTime = DateTime.Now
' Set expiration of 365 days - Change this to your requirements
Dim tsYear As New TimeSpan(365, 0, 0, 0)
c.Expires = dtNow.Add(tsYear)
' Call the above DrawStringImage routine
Now all that's left is verifying the data, which the page does in the Submit button event handler:
Private Sub Button1_Click(ByVal sender As System.Object, _
ByVal e As System.EventArgs) Handles Button1.Click
Dim hMACIString As String
Dim c As HttpCookie =
hMACIString = c.Value
Dim b As RandomStringGenerator
' Send to next page in a real application
If (hMACIString = b.HashMACMe(AccessKey.Text)) Then
lblResult.Text = "Real Person"< /EM >
lblResult.Text = "SPOOFED"
Control contains the string data that the user enters. The client sends it back to the server, which append the secret MAC key, hashes the string, and then compares it against the cookie value written earlier in the DrawRandomImage.aspx
page. Figure 2
shows the completed page in a browser.
|Figure 2. The Completed Captcha: Users read the text of the obfuscated image, enter that into the text field, and click submit.|
As you can see from the code snippets above, it's fairly simple to implement a captcha-like technology in .NET. You do have to be careful not to over-do the obfuscation of the random images. Over-engineering them making reading the characters a challenge and a chore for legitimate users and will definitely be a turn-off.
Please note that I only recommend this as an added layer of security on top of other security features that your application implements. All the security layers must work together to form part of application authentication and security.
To extend this idea, you might want to expose this captcha feature as a Web service and implement it as part of your organization's service-oriented architecture so that your other login pages can use the feature as well. To do that, you may want to try WS-Attachments and DIME to stream the image binaries across the wire. Be careful though, because WS-Attachments and DIME are not supported in Indigo, Microsoft's upcoming Web services framework.