ASP Classic Login CAPTCHA VBScript Code Sample (BotDetect v3.0; deprecated)

The ASP Classic Login Captcha code sample shows how to add BotDetect CAPTCHA validation to simple ASP login forms.

First Time Here?

Check the BotDetect Developer Crash Course for key integration steps.

To prevent bots from trying to guess the login info by brute force submission of a large number of common values, the visitor first has to prove they are human (by solving the CAPTCHA), and only then is their username and password submission checked against the authentication data store.

Also, if they enter an invalid username + password combination three times, they have to solve the CAPTCHA again. This prevents attempts in which the attacker would first solve the CAPTCHA themselves, and then let a bot brute-force the authentication info.

To keep the example code simple, the sample doesn't access a data store to authenticate the user, but accepts all logins with usernames and passwords at least 5 characters long as valid.

Installed Location

By default, the Classic ASP basic Captcha code sample is installed at:
C:\Program Files\Lanapsoft\BotDetect 3 CAPTCHA Component\Asp\WebApp\AspLoginCaptchaSample

You can also run it from the BotDetect Start Menu:
Programs > Lanapsoft > BotDetect 3 CAPTCHA Component > ASP > Web Applications > Run

Default.asp

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
  <title>BotDetect CAPTCHA ASP Login Sample</title>
  <link type="text/css" rel="Stylesheet" href="StyleSheet.css" />
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <!-- #include file ="BotDetect.asp" -->
</head>
<body>
  <form method="post" action="ProcessLogin.asp" id="form1">

    <h1>BotDetect CAPTCHA ASP Login Sample</h1>
    
    <h2>Login Page</h2>
    
    <fieldset>
      <legend>CAPTCHA included in ASP Login form validation</legend>
      
      <div class="input">
        <label for="Username">Username:</label>
        <input type="text" name="Username" id="Username" 
        class="textbox" value="<%=Request("Username") %>" />
      </div>
      
      <div class="input">
        <label for="Password">Password:</label>
        <input type="password" name="Password" id="Password" 
        class="textbox" />
      </div>
      
      <% ' authentication failed, show error message
        If Request("error") = "Format" Then %>
          <p class="incorrect">Invalid authentication info</p><% 
        ElseIf Request("error") = "Auth" Then %>
          <p class="incorrect">Authentication failed</p><% 
        End If 
      %>
        
      <div class="input">
        <% ' Adding BotDetect CAPTCHA to the page 
          Dim LoginCaptcha : Set LoginCaptcha = (New Captcha)("LoginCaptcha")
          LoginCaptcha.UserInputID = "CaptchaCode"
          
          If Not LoginCaptcha.IsSolved Then %>
            <label for="CaptchaCode">Retype the characters from the 
            picture:</label>
            <%=LoginCaptcha.Html %>
            <input type="text" name="CaptchaCode" id="CaptchaCode" 
            class="textbox" /><%
           ' CAPTCHA validation failed, show error message
            If Request("error") = "Captcha" Then %>
              <span class="incorrect">Incorrect code</span><%
            End If 
          End If
        %>
      </div>
      <input type="submit" name="SubmitButton" id="SubmitButton" 
      value="Submit"  />
    </fieldset>
  </form>
</body>
</html>

As explained in the ASP Classic form Captcha howto guide, the Captcha object generates the Html markup required to show the Captcha image and the Captcha sound / reload buttons.

To hide the Captcha challenge after the user solves it, the Captcha object's Html value is only added to the page if not already solved (If Not FormCaptcha.IsSolved Then ...)

ProcessLogin.asp

<!-- #include file ="BotDetect.asp" -->
<% 
  Dim form_page : form_page = "Default.asp"
  
  'directly accessing this script is an error
  If Not Request.ServerVariables("REQUEST_METHOD") = "POST" Then
    Response.Redirect form_page
  End If

  ' submitted data
  Dim username : username = Request("Username")
  Dim password : password = Request("Password")
  
  ' CAPTCHA user input validation 
  Dim LoginCaptcha : Set LoginCaptcha = (New Captcha)("LoginCaptcha")
  LoginCaptcha.UserInputID = "CaptchaCode"
  If Not LoginCaptcha.IsSolved Then
    Dim isHuman : isHuman = LoginCaptcha.Validate()
    If Not isHuman Then 
      ' CAPTCHA validation failed, show error message
      Response.Redirect form_page & "?Username=" & Server.URLEncode(
      username) & "&error=Captcha"
    End If
  End If
  
  ' CAPTCHA validation passed, only now do we perform the protected 
  action (try to authenticate the user)
  
  ' check login format
  Dim isValidLogin : isValidLogin = ValidateLogin(username, password)
  If Not isValidLogin Then 
    ' invalid login format, show error message
    Response.Redirect form_page & "?Username=" & Server.URLEncode(
    username) & "&error=Format"
  End If
  
  ' authenticate the user
  Dim isAuthenticated : isAuthenticated = Authenticate(username, 
  password)
  If Not isAuthenticated Then 
    ' authentication attempt failed, show error message
    Response.Redirect form_page & "?Username=" & Server.URLEncode(
    username) & "&error=Auth"
  End If

  Function ValidateLogin(username, password)
    Dim result : result = False
    '  we check username and password are specified and alphanumeric
    If (Len(username) > 0 And Len(password) > 0) Then
      Dim regEx : Set regEx = New RegExp
      regEx.Pattern = "^[a-zA-Z0-9_]+$" ' alphanumeric chars and 
      underscores only
      result = regEx.Test(username) 
      result = result And regEx.Test(password)
    End If
    ValidateLogin = result
  End Function
  
  Function Authenticate(username, password)
    Dim result : result = False
    ' Since this is a simple sample project, we consider all 
    authentication attempts with usernames and 
    ' passwords longer than 5 characters valid instead of looking up 
    the info in a database etc.
    If (Len(username) > 4 And Len(password) > 4) Then
      result = True
    Else
      ' failing authentication 3 times shows the Captcha again
      Dim count : count = CInt(Session("FailedAuthCount"))
      count = count + 1
      If count > 2 Then
        Call LoginCaptcha.Reset
        count = 0
      End If
      Session("FailedAuthCount") = count
    End If
    Authenticate = result
  End Function
%>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
  <title>BotDetect CAPTCHA ASP Login Demo</title>
  <link type="text/css" rel="Stylesheet" href="StyleSheet.css" />
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
  <h1>BotDetect CAPTCHA ASP Login Sample</h1>
  
  <h2>Protected Page</h2>

  <fieldset id="Properties">
    <legend>Validation passed!</legend>
    
    <div class="input">
      <label for="Username">Username:</label>
      <input name="Username" id="Username" type="text" class="textbox" 
      readonly="readonly" value="<%=Server.HTMLEncode(username) %>" />
    </div>
    
    <div class="input">
      <label for="Password">Password:</label>
      <input name="Password" id="Password" type="text" class="textbox" 
      readonly="readonly" value="<%=Server.HTMLEncode(password) %>" />
    </div>
    
    <p class="navigation">
      <% ' Sample only, we want to show the Captcha again when 
      returning to the form
        Call LoginCaptcha.Reset %>
      <a href="Default.asp">Back to login page</a>
    </p>
  </fieldset>
</body>
</html>

Form submission validation is performed in this file, which checks all required fields and redirects the user back to the form if validation fails. Captcha validation is treated no different than other field validation.

We also count the number of Captcha validation failures in the authentication function – if the user fails three authentication requests, they are shown a new Captcha which they must solve before continuing. This throttles authentication access, ensuring username + password combinations cannot be brute-forced, while real human users get theoretically unlimited authentication attempts (as long as they don't mind solving further Captchas).

BotDetect\CaptchaConfig.asp

<%

' Captcha code configuration
' ---------------------------------------------------------------------
LBD_Configuration_CodeLength = 4
LBD_Configuration_CodeStyle = LBD_CodeStyles("Alphanumeric")
LBD_Configuration_CodeTimeout = 1200
LBD_Configuration_Locale = "en-US"
LBD_Configuration_CustomCharset = ""
LBD_Configuration_BannedSequences = ""

' Captcha image configuration
' ---------------------------------------------------------------------
LBD_Configuration_ImageStyle = LBD_ImageStyles("CaughtInTheNet2")
LBD_Configuration_ImageWidth = 200
LBD_Configuration_ImageHeight = 50
LBD_Configuration_ImageFormat = LBD_ImageFormats("JPEG")
LBD_Configuration_CustomDarkColor = ""
LBD_Configuration_CustomLightColor = ""
LBD_Configuration_ImageTooltip = "CAPTCHA"
LBD_Configuration_HelpLinkEnabled = True
LBD_Configuration_HelpLinkMode = LBD_HelpLinkModes("Image")
LBD_Configuration_HelpLinkUrl = ""
LBD_Configuration_HelpLinkText = ""

' Captcha sound configuration
' ---------------------------------------------------------------------
LBD_Configuration_SoundEnabled = True
LBD_Configuration_SoundStyle = LBD_RandomSoundStyle()
LBD_Configuration_SoundFormat = LBD_SoundFormats("WavPcm16bit8kHzMono")
LBD_Configuration_SoundTooltip = "Speak the CAPTCHA code"
LBD_Configuration_SoundIconUrl = "BotDetect/SoundIcon.gif"
LBD_Configuration_SoundPackageFolder = "C:\Program Files (x86)
\Lanapsoft\BotDetect 3 CAPTCHA 
Component\Asp\Redistribute\BotDetectSounds"
LBD_Configuration_WarnAboutMissingSoundPackages = True
LBD_Configuration_SoundStartDelay = 0
LBD_Configuration_SoundRegenerationMode = LBD_SoundRegenerationModes("Limited")

' Captcha reload configuration
' ---------------------------------------------------------------------
LBD_Configuration_ReloadEnabled = True
LBD_Configuration_ReloadTooltip = "Change the CAPTCHA code"
LBD_Configuration_ReloadIconUrl = "BotDetect/ReloadIcon.gif"
LBD_Configuration_AutoReloadExpiredCaptchas = True
LBD_Configuration_AutoReloadTimeout = 7200

' Captcha user input  configuration
' ---------------------------------------------------------------------
LBD_Configuration_AutoFocusInput = True
LBD_Configuration_AutoClearInput = True
LBD_Configuration_AutoUppercaseInput = True

' Captcha persistence configuration
' ---------------------------------------------------------------------
Dim LBD_Persistence : Set LBD_Persistence = Session
LBD_Configuration_UseApplicationFallback = True

%>

The ASP Captcha library configuration file defines base Captcha settings for the sample.


Please Note

The information on this page is out of date and applies to a deprecated version of BotDetect™ CAPTCHA (v3.0).

An up-to-date equivalent page for the latest BotDetect Captcha release (v4) is BotDetect v4 Captcha documentation index.

General information about the major improvements in the current BotDetect release can be found at the What's New in BotDetect v4.0 page.