BotDetect CAPTCHA ASP FAQ

No, the minimum platform requirements for BotDetect ASP CAPTCHA are Windows 2000 and IIS 5.0.

No, our product requires IIS 5.0+ in order to run properly.

You need to have full admin rights on the server to install and use the BotDetect ASP CAPTCHA, since it is a COM component which needs to be registered on the server to work. You will have to ask your web presence provider to install BotDetect for you. You'll have to send them LanapBotDetect.dll, gdiplus.dll and these instructions.

It is not necessary to run the installation package. You can just copy LanapBotDetect.dll and gdiplus.dll into the same folder anywhere on the target server machine (for example, C:\Temp\) and run the following from the command line:

regsvr32 /i "C:\Temp\LanapBotDetect.dll"

You'll need to restart IIS before registering a new version of BotDetect because that is the only way to make IIS release the LanapBotDetect.dll handle. Unfortunately, there is no workaround - this is IIS behavior "by design".

Here is the step-by-step upgrade procedure:

1. Copy the full version of LanapBotDetect.dll to the server
2. Stop IIS
3. Register the full version of LanapBotDetect.dll with the regsvr32.exe utility.
4. Start IIS

You are still using the trial version of BotDetect.

Register LanapBotDetect.dll with the regsvr32.exe utility again. Please check that it is the full release version. You can do this by right-clicking it in your Windows Explorer and selecting Properties, switching to the Version tab and checking the Description value – as shown in the picture:

To resolve this problem, assign NTFS Read and Execute file permissions to the appropriate user accounts (IUSR_<machinename>, NETWORK SERVICE) for LanapBotDetect.dll. Right click the LanapBotDetect.dll file, select Properties, switch to the Security tab and change the permissions.

This error is very similar to: http://support.microsoft.com/default.aspx?scid=KB;en-us;q278013.

It appears this problem is caused by GDI+ trying to write the temporary gdipfontcachev1.dat file (a "printer font cache") to a folder it doesn't have permissions to. Since the gdiplus.dll is loaded by LanapBotDetect.dll, which is in turn loaded by IIS (i.e. w3wp.exe), GDI+ runs under a user account with limited permissions.

Unfortunately, we were unable to find a configuration option for GDI+ to prevent it from trying to write that file, or to instruct it to write it in a specific location. The good news is that it apparently needs to write that file only once. So here is a workaround for the issue:

1. Temporarily give "Everyone" full access to the C:\ drive
2. Run the web page and wait for GDI+ to create the file in the C:\ root
3. Copy the file into the C:\Windows\System32 folder and change permissions on that file only to Modify by Everyone
4. Delete the C:\gdipfontcachev1.dat file and remove Everyone access to C:\
5. The error should then stop occurring.

When using load-balanced servers, you will have to ensure that clients return to the server containing their existing Session state data on all HTTP requests after the first one (known as enabling sticky connections). Please check your load-balancer settings.

This step is necessary since the ASP Session state is always kept in worker process memory, which only exists on the server where each individual worker process is running, and it can't be shared between multiple servers.

Keeping the LanapBotDetectHandler.asp file in the same folder as the .asp form is the simplest solution. It is possible to keep a single copy of the LanapBotDetectHandler.asp file and use it on multiple forms, as long as those forms are all within the same ASP application.

Every IIS virtual folder that is a separate ASP application has it's own Global.asa file and it's own separate Application and Session State. So for example, you should be able to move the handler file from

http://localhost/BotDetectASPSamples/CaptchaFeatures/
  LanapBotDetectHandler.asp

to

http://localhost/BotDetectASPSamples/LanapBotDetectHandler.asp

and continue using it on the

http://localhost/BotDetectASPSamples/CaptchaFeatures/
  BotDetectFeaturesDemo.asp

form, since http://localhost/BotDetectASPSamples/ is the application, while CaptchaFeatures/ and CaptchaValidation/ are simply subfolders and not separate applications.

However, you can not use the handler from that location anywhere outside the http://localhost/BotDetectASPSamples/ application, or even if you make separate applications out of the CaptchaFeatures/ and CaptchaValidation/ subfolders.

You can use FrontPage as long as you use ASP or PHP for form processing. Simple FrontPage Forms that use FrontPage Server Extensions are NOT supported.

Yes, BotDetect CAPTCHA can be integrated in PHP pages, but only on servers running Windows (since it's a COM component). You can find detailed instructions and sample code in the How To add BotDetect CAPTCHA protection to PHP forms guide.

You can randomize all BotDetect CAPTCHA property values easily. Here is an example ASP code snippet which chooses a random CAPTCHA rendering algorithm from the specified set of possible values:

<%
Function RandomFromRange(lowerLimit, upperLimit)
  Dim num
  Randomize
  num = CInt((upperlimit - lowerlimit)*Rnd() + lowerlimit) 
  RandomFromRange = num
End Function

Function RandomFromValues(values)
  Dim num
  Randomize
  num = RandomFromRange(0, UBound(values))
  RandomFromValues = values(num)
End Function

Dim algorithms(5)
algorithms(0) = 28 'Lego
algorithms(1) = 36 'MeltingHeat
algorithms(2) = 44 'Ghostly
algorithms(3) = 25 'FingerPrints
algorithms(4) = 39 'Graffiti2
algorithms(5) = 48 'Bullets

' choose a random TextStyle
Dim style 
style = RandomFromValues(algorithms)
%>

<img src=
  "LanapBotDetectHandler.asp?Command=
  CreateImage&TextStyle=<%=style%>" alt="CAPTCHA image" />

You can force the CAPTCHA image to reload from the server instead from the browser cache by adding the current timestamp in the CAPTCHA image Url querystring:

<img src="LanapBotDetectHandler.asp?Command=CreateImage&t=
    <%= year(now) & right("0" & month(now),2) & _
      right("0" & day(now),2) & right("0" & hour(now),2) & _
      right("0" & minute(now),2) & right("0" & second(now),2)
    %>" 
  alt="CAPTCHA image" />

You have most likely forgotten to include CAPTCHA validation code in the ASP script that processes your form's submitted data. You can see an example code snippet for CAPTCHA validation in the How To add BotDetect CAPTCHA protection to ASP forms guide.

Also, you might want to take a look at the Form Processing sample that comes with BotDetect installations. Note that the code in ProcessingFormDemo.asp is just used to generate CAPTCHA images. The validation of user input – i.e. checking that the user submitted the same code as displayed in the CAPTCHA image – happens in the script that processes POSTed form data, called ProcessForm.asp.

No, you can persist the CAPTCHA code in any server-side container that suits your needs. LanapBotDetectHandler.asp uses the built-in ASP Session state for simplicity, but you can freely replace that code with your own method of persistence (e.g. database persistence shared between multiple load-balanced servers).

Explanation

Since BotDetect CAPTCHA codes are stored in ASP Session state on the server, different CAPTCHA challenges on different pages within the same ASP application need to use different Session state keys to store their CAPTCHA codes.

The problems you are having occur when a user opens multiple browser tabs with different CAPTCHA-protected pages, which results in the CAPTCHA code from the last opened tab overwriting CAPTCHA codes from previously opened browser tabs.

Solution

Using the BotDetect CAPTCHA on more than one form in the same site requires a few modifications to the ASP code.

1. Replace the LanapBotDetectHandler.asp file on your website with the latest version coming with the BotDetect ASP v2.0.8 installation.
2. For every form on your site, decide on a unique CAPTCHA identifier for the CAPTCHA on that page – for example, if you have a CAPTCHA on both your registration and contact pages, you can call them RegistrationCaptcha and ContactCaptcha.

3. On each ASP form, modify the CAPTCHA showing code – in the CAPTCHA image and sound links, add a CaptchaId querystring parameter, using the value for that page decided on in the previous step. For example, change

   <img id="CaptchaImage" alt="CAPTCHA Code" 
     src="LanapBotDetectHandler.asp?Command=CreateImage" />

   to

   <img id="CaptchaImage" alt="CAPTCHA Code" 
     src="LanapBotDetectHandler.asp?Command=CreateImage
       &CaptchaId=RegistrationCaptcha" />

   and

   <a href="LanapBotDetectHandler.asp?Command=CreateSound"
     onclick="LBD_LoadSound('soundPlaceholder',
       'LanapBotDetectHandler.asp?Command=CreateSound'); 
       return false;" 
     title="Play CAPTCHA audio">

   to

   <a href="LanapBotDetectHandler.asp?Command=CreateSound
       &CaptchaId=RegistrationCaptcha"
     onclick="LBD_LoadSound('soundPlaceholder',
       'LanapBotDetectHandler.asp?Command=CreateSound&CaptchaId=
       RegistrationCaptcha'); return false;" 
     title="Play CAPTCHA audio">

4. On each form, modify the CAPTCHA validation code so the appropriate CaptchaId value is used in the Session key: LanapBotDetectCode should become LanapBotDetectCode_<CaptchaId>. For example, change

   Dim result, codeKey, inputCode
   result = False
   codeKey = "LanapBotDetectCode"
   inputCode = Request("CaptchaCode")
   
   If (Session(codeKey)<>"") Then
     code = Session(codeKey)
     result = (0 = StrComp(inputCode, code, 1))
     'each Captcha code can only be validated once
     Session(codeKey) = ""
   End If

   to

   Dim result, codeKey, inputCode
   result = False
   codeKey = "LanapBotDetectCode_RegistrationCaptcha"
   inputCode = Request("CaptchaCode")
   
   If (Session(codeKey)<>"") Then
     code = Session(codeKey)
     result = (0 = StrComp(inputCode, code, 1))
     'each Captcha code can only be validated once
     Session(codeKey) = ""
   End If

When you make these changes, each form will use a different ASP Session state key and opening different forms at the same time will not result in CAPTCHA code collisions.

Further steps

While these changes will prevent CAPTCHA problems when opening multiple browser tabs with different CAPTCHA-protected forms, they will not prevent the same issue from occurring when opening the same form in multiple browser tabs.

To resolve this issue in that case, you will need to append a timestamp or a GUID to the CaptchaId querystring parameter, to assign distinguished ASP Session state keys to different browser tabs.

Also, if the CAPTCHA validation is performed in a different ASP form than the one where this timestamp or GUID is generated, you will need to persist it (for example, in a hidden form field) so the validating form has access to the Session key used.

Since the behavior of the browser Back button is not specified by any standards, different browsers implement it differently. To force Firefox to change the CAPTCHA image, you must make the following changes:

1. Make sure you are using BotDetect ASP CAPTCHA v2.0.8 or newer, since that release includes the required change in the BotDetect CAPTCHA image Http Response headers from

   Response.CacheControl = "no-cache"

   to

   Response.CacheControl = "no-cache, no-store, must-revalidate"

2. Edit the ASP page showing the CAPTCHA image, adding the following code at the top of the ASP source:

   <%
   'prevent caching of the whole page
   Response.CacheControl = "no-cache, no-store, must-revalidate"
   Response.AddHeader "Pragma", "no-cache"
   Response.Expires = -1
   
   'utility function for querystring-friendly GUID generation 
   Function createGuid()
    Set TypeLib = Server.CreateObject("Scriptlet.TypeLib")
    tg = TypeLib.Guid
    guid = Left(tg, len(tg)-2)
    set regEx = New RegExp
    regEx.IgnoreCase = False
    regEx.Global = True
    regEx.Pattern = "[{}-]"
    createGuid = regEx.Replace(guid, "")
    Set TypeLib = Nothing
   End Function
   %>

3. Edit the CAPTCHA image including code, so for example

   <img id="CaptchaImage" alt="CAPTCHA Code" 
     src="LanapBotDetectHandler.asp?Command=CreateImage
       &TextStyle=0&ImageWidth=250&imageHeight=50&CodeLength=5
       &CodeType=0" />

   becomes

   <img id="CaptchaImage" alt="CAPTCHA Code" 
     src="LanapBotDetectHandler.asp?Command=CreateImage
       &TextStyle=0&ImageWidth=250&imageHeight=50&CodeLength=5
       &CodeType=0&t=<%=createGuid()%>" />

Instead of using a timestamp, this code uses a GUID to ensure every page load uses a different CAPTCHA querystring.

Also, it is necessary to prevent caching of the whole page, since otherwise Firefox will load the page from the cache when using the Back button, and the CAPTCHA image querystring will remain the same, which will again re-use the old image.

Only after making these changes will Firefox start reloading the CAPTCHA image when using the Back button.

If you want to avoid full page postbacks, you could take a look at the BotDetect CAPTCHA Ajax Validation Sample coming with the installation, which uses jQuery Ajax requests to only post and reload the part of the page with the CAPTCHA challenge.

Pure client-side CAPTCHA validation drawbacks

Pure client-side CAPTCHA validation (without any communication with the server) is not supported by BotDetect, since such a CAPTCHA is trivial to bypass, and doesn't provide any serious protection from bots. For example:

• You want users to post comments only if they have successfuly solved the CAPTCHA.
• If the CAPTCHA validation is purely client-side, this means JavaScript code must send the user's comment to the server when the CAPTCHA code is entered correctly.
• So the spammer only needs to solve the CAPTCHA once, and note how you handle the result: e.g. sending a specific POST parameter, or redirecting to a specific page.
• After that, they can simulate the same behavior in their bot and bypass the CAPTCHA completely - by simply faking the POST parameter, or accessing the redirection landing page directly.
• You can back the client-side CAPTCHA validation by also validating the same user input on the server once the page is posted and before recording the user comment.
• But since you are keeping the correct CAPTCHA solution on the client for validation, bots can have easy access to that code and then always solve the CAPTCHA correctly.

The exact details depend on your specific use-case and CAPTCHA integration scenario. But essentially, all client-side code is insecure and can be faked or modified by malicious parties. As a consequence, the CAPTCHA codes must only be kept on the server, and all CAPTCHA validation must be performed on the server as well.

Client-side CAPTCHA validation - the solution

You can avoid full page postbacks by using jQuery or another Ajax library to make asynchronous CAPTCHA validation requests to the server, and processing the result on the client:

• When the Ajax CAPTCHA validation fails, you can show the user a new CAPTCHA image without affecting the rest of the page, thus improving the user experience and overall usability of the page.
• You should always change the CAPTCHA code in such cases, since allowing multiple attempts at solving the same CAPTCHA makes OCR guessing much easier.
• When the Ajax CAPTCHA validation succeeds, you should then submit the page to the server and validate the user CAPTCHA input again.
• Only after successful server-side CAPTCHA validation should you execute the "protected" operation (e.g. record the user comment) on the server.

If the users enters a correct CAPTCHA code but for example username validation fails, they definitely should not have to solve another CAPTCHA. The purpose of CAPTCHA is to ensure the user is human, and when they solve it successfuly the first time they have passed this test.

If you have to return them to the form because another field value needs to be corrected, it's best not to show them a CAPTCHA at all, since it's purpose has been fulfilled. The simplest way to remember that the user has solved the CAPTCHA successfuly is to store the result on the server-side, for example:

<%
  'Captcha validation
  Dim result, codeKey, inputCode
  result = False
  codeKey = "LanapBotDetectCode"
  inputCode = Request("CaptchaCode")

  If (Session(codeKey)<>"") Then
    code = Session(codeKey)
    result = (0 = StrComp(inputCode, code, 1))
    'each Captcha code can only be validated once
    Session(codeKey) = ""
  End If
	
  Session("isHuman") = result

Then, the stored value is checked before displaying the CAPTCHA to the user, and the CAPTCHA is only displayed if it hasn't already been solved:

<% If (Not(Session("isHuman")<>"" And Session("isHuman"))) Then %>
  'show the Captcha image and textbox only if not solved already
  <div id="PromptDiv">Retype the code from the picture</div>
    <div id="CaptchaDiv">
      <div id="CaptchaImage">
        <img id="SampleForm_CaptchaImage" 
          src="LanapBotDetectHandler.asp?Command=CreateImage"
          alt="CAPTCHA Code Image" />
      </div>
      '...
<% End If %>

For security reasons, it is not possible to get the same BotDetect CAPTCHA image on two page loads, nor to use the same code for more than one CAPTCHA image.