Scott on Writing

Musings on technical writing...

Login Control + CAPTCHA

My latest installment (Part 5) of the Examining ASP.NET 2.0's Membership, Rols, and Profile article series shows how to extend the Login control to add additional Web controls to the interface and how to customize the authentication logic accordingly. In particular, the article includes a demo (among others) that shows how to add a CAPTCHA to the Login control. For that demo I'm using Jeff Atwood's free (and open-source) ASP.NET CAPTCHA server control.

In short, to accomplish this perform the following tasks:

Convert the Login control into a template. This can be done from the Designer by clicking on the “Convert to Template” option in the control's smart tag
Augment the Login control's template markup to include Jeff's CAPTCHA control (my example also requires that the user enter their email address on file)
Create an event handler for the Login control's Authenticate event. In there, verify the user's username and password via a call to Membership.ValidateUser(username, password). Assuming that that check passes, programmatically access the Email and CAPTCHA controls using LoginControlID.FindControl(“ID“) and verify the validity of those inputs. If the user has supplied valid inputs all around, set e.Authenticate to True; otherwise, if any check fails, set e.Authenticate to False.

That's all there is to it!

[Read the article...]

posted on Tuesday, June 06, 2006 3:31 PM

Feedback

# re: Login Control + CAPTCHA 6/6/2006 6:58 PM Israel Aece

Hello Scott,

Wouldn't be more interesting to validate captcha code before Membership user?

If captcha code is invalid, you don't access the membership methods (like ValidateUser) and, in this case, can cause an extra overhead. (IMHO)

# re: Login Control + CAPTCHA 6/6/2006 8:39 PM Scott Mitchell

Hi Israel. Good point, this would be more efficient. However, bear in mind that any gains are likely very negligible because:

(a) Logging in a user is probably much less frequent than other, more intensive operations
(b) Having a user log in AND enter an invalid CAPTCHA is even more unlikely

So it doesn't hurt to make that change, but I would imagine you'd not ever notice any difference one way or the other.

# re: Login Control + CAPTCHA 6/6/2006 10:50 PM paketim

A refresh button for the captcha image would be nice for unreadable verification codes.

Paketim
http://www.paketim.com

# re: Login Control + CAPTCHA 6/7/2006 4:41 AM nstlgc

Scott, I could be wrong, but IMHO the fact that you process your CAPTCHA only after a succesful login defies the whole purpose of having a CAPTCHA to begin with.

CAPTCHA serves to verify that the entity visiting the website is not a robot. The prominent reason for having a robot visit your site is likely to be password bruteforcing. Your solution will happily allow robots to try until they find a login/password pair that works, then report to their owner for actual CAPTCHA clearance.

Just my 2 bits..

# re: Login Control + CAPTCHA 6/7/2006 7:13 AM James Bradley

I hate to sound negative, but being a web professional I'd have thought your article would mention that the use of CAPTCHA makes many websites illegal due to accessibility regulations , (not just Section 508, but worldwide). Its use certainly frowned upon for public sites where the abilities of users cannot be guaranteed. Perhaps a warning to the usage of CAPTCHA might be appropriate.

Of course the problem is for blind or visually impaired users, they have no idea what the caption says. For completeness on this subject, check out http://www.w3.org/TR/turingtest/

James

# re: Login Control + CAPTCHA 6/7/2006 10:04 AM Scott Mitchell

nstlgc, great point. I've revised the article's content and code download to capture the suggestions made by both you and Israel. Thanks both.

James, good points w.r.t. accessibility.

FYI, I've added all your comments to the article. Thanks for the heads up and worthwhile discussion.

# re: Login Control + CAPTCHA 6/26/2006 7:49 AM Alex

Scott,
Any chance you might be doing an article on Examining ASP.NET 2.0's Membership, Rols, and Profile with only using Active Directory? There are a lot of articles about this using Forms Authentication but what about intranet websites that want to use Active Directory? I think it would make a good Part 6 and I know I'd benfit from it.

Thanks for the great articles,
Alex

# re: Login Control + CAPTCHA 7/4/2006 3:16 AM GigoIt

Thought you guys might like this.

GigoIt's HumanAuth is based off the ideas presented by KittenAuth.com. HumanAuth supports ADA and Section 508 requirements, increased security and includes watermarked images with random positioning. HumanAuth ensures that an actual human is using your site without forcing them to read distorted CAPTCHA text.

http://www.gigoit.org/humanauth/

# re: Login Control + CAPTCHA 3/28/2007 5:31 AM Emilio

Here is a challenge :-) I have been trying to use this CAPTCHA control on the CreateUserWizard because I do not want ghost users registered on my system.

Unfortunately this CAPTCHA does not work with the ValidationSummary and when it is not good then there is no way to inject the error message into the ValidationSummary.

But most importantly, when processing CreatingUser it is not possible for get a reference to the CAPTCHA control (that is the ID) using FindControl. I tried by doing it with CreateUserWizard1 and CreateUserWizardStep1 and both return null and therefore it is not possible to validate the captcha.

# re: Login Control + CAPTCHA 1/14/2008 12:48 PM Stanislav

Can anyone help me with getting the FailureText working? I am using the templated login + CAPTCHA and the FailureText is not showing.

rgds
Stanislav

# re: Login Control + CAPTCHA 2/28/2008 2:48 PM Nate

I am trying to implement your captcha control in my code. It compiles fine but when I open up the web page I dont see captcha image instead I see a red asterisk error. I checked assembly path and all that seems good. Can someone help me why its not showing up on page?
I get the associated textbox but not the captcha image.
Thanks
Nate

# re: Login Control + CAPTCHA 3/5/2008 3:17 AM Yu

Hi, i am experiencing the same problem with the captcha image not displayed. I have to re-start the iis everytime to make it work.

Please help.

Title:

Name:

Url:

Enter the code you see:

Comments

Remember Me?

Add To Your Reader

My Links

Post Categories

May 2008

Comment Stats

Day	Total	% of Total
Sunday	186	6.8%
Monday	379	13.9%
Tuesday	453	16.7%
Wednesday	504	18.5%
Thursday	535	19.7%
Friday	494	18.2%
Saturday	166	6.1%
Total	2717	100.0%

Hour¹	Total	% of Total
12:00 AM	65	2.4%
1:00 AM	68	2.5%
2:00 AM	62	2.3%
3:00 AM	74	2.7%
4:00 AM	57	2.1%
5:00 AM	103	3.8%
6:00 AM	108	4.0%
7:00 AM	158	5.8%
8:00 AM	171	6.3%
9:00 AM	147	5.4%
10:00 AM	171	6.3%
11:00 AM	181	6.7%
12:00 PM	188	6.9%
1:00 PM	169	6.2%
2:00 PM	160	5.9%
3:00 PM	132	4.9%
4:00 PM	107	3.9%
5:00 PM	92	3.4%
6:00 PM	91	3.3%
7:00 PM	96	3.5%
8:00 PM	83	3.1%
9:00 PM	78	2.9%
10:00 PM	79	2.9%
11:00 PM	77	2.8%
Total	2717	100.0%

Comments by Blog Entry Date/Time

Day Entry Made	Avg.	Total
Sunday	5.54	144
Monday	5.22	339
Tuesday	4.28	419
Wednesday	7.67	637
Thursday	6.90	607
Friday	5.48	411
Saturday	5.33	160
Total	5.84	2717

Hour¹ Entry Made	Avg.	Total
12:00 AM	5.00	35
1:00 AM	1.00	2
5:00 AM	0.00	0
7:00 AM	7.00	35
8:00 AM	5.35	107
9:00 AM	6.32	278
10:00 AM	6.47	246
11:00 AM	4.41	181
12:00 PM	6.88	330
1:00 PM	3.00	111
2:00 PM	5.41	222
3:00 PM	8.64	285
4:00 PM	4.05	89
5:00 PM	5.92	154
6:00 PM	4.52	113
7:00 PM	9.67	174
8:00 PM	9.80	147
9:00 PM	5.05	111
10:00 PM	5.42	65
11:00 PM	4.57	32
Total	5.84	2717