ASP Classic Login CAPTCHA VBScript Code Example

The ASP Classic Login Captcha code example shows how to add BotDetect CAPTCHA validation to simple ASP login forms.

First Time Here?

Check the BotDetect Developer Crash Course for key integration steps.

To prevent bots from trying to guess the login info by brute force submission of a large number of common values, the visitor first has to prove they are human (by solving the CAPTCHA), and only then is their username and password submission checked against the authentication data store.

Also, if they enter an invalid username + password combination three times, they have to solve the CAPTCHA again. This prevents attempts in which the attacker would first solve the CAPTCHA themselves, and then let a bot brute-force the authentication info.

To keep the example code simple, the sample doesn't access a data store to authenticate the user, but accepts all logins with usernames and passwords at least 5 characters long as valid.

Download the BotDetect Classic ASP CAPTCHA Component and run this example

Installed Location

By default, the Classic ASP login Captcha code example is installed at:
C:\Program Files\Captcha Inc\BotDetect 4 CAPTCHA Component\Asp\WebApp\AspLoginCaptchaExample

You can also run it from the BotDetect Start Menu:
Programs > Captcha Inc > BotDetect 4 CAPTCHA Component > ASP > Web Applications > Run

Default.asp

<!-- #include file ="BotDetect.asp" -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
  <title>BotDetect ASP Classic CAPTCHA Validation: ASP Login Form CAPTCHA Code 
  Example</title>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <link type="text/css" rel="Stylesheet" href="<%= CaptchaUrls.LayoutStylesheetUrl() %>" />
  <link type="text/css" rel="Stylesheet" href="StyleSheet.css" />
</head>
<body>
  <form method="post" action="ProcessLogin.asp" class="column" id="form1">

    <h1>BotDetect ASP Classic CAPTCHA Validation: 
    <br /> ASP Login Form CAPTCHA Code Example</h1>
    
    <h2>Login Page</h2>
    
    <fieldset>
      <legend>CAPTCHA included in ASP Login form validation</legend>
      
      <div class="input">
        <label for="Username">Username:</label>
        <input type="text" name="Username" id="Username" class="textbox" 
        value="<%=Request("Username") %>" />
      </div>
      
      <div class="input">
        <label for="Password">Password:</label>
        <input type="password" name="Password" id="Password" class="textbox" />
      </div>
      
      <% ' authentication failed, show error message
        If Request("error") = "Format" Then %>
          <p class="incorrect">Invalid authentication info</p><% 
        ElseIf Request("error") = "Auth" Then %>
          <p class="incorrect">Authentication failed</p><% 
        End If 
      %>
        
      <div class="input">
        <% ' Adding BotDetect CAPTCHA to the page 
          Dim LoginCaptcha : Set LoginCaptcha = (New Captcha)("LoginCaptcha")
          LoginCaptcha.UserInputID = "CaptchaCode"
          
          If Not LoginCaptcha.IsSolved Then %>
            <label for="CaptchaCode">Retype the characters from the picture:</label>
            <%=LoginCaptcha.Html %>
            <input type="text" name="CaptchaCode" id="CaptchaCode" 
            class="textbox" /><%
            ' CAPTCHA validation failed, show error message
            If Request("error") = "Captcha" Then %>
              <span class="incorrect">Incorrect code</span><%
            End If 
          End If
        %>
      </div>
      <input type="submit" name="SubmitButton" id="SubmitButton" value="Submit" />
    </fieldset>
  </form>
</body>
</html>

As explained in the ASP Classic form Captcha howto guide, the Captcha object generates the Html markup required to show the Captcha image and the Captcha sound / reload buttons.

To hide the Captcha challenge after the user solves it, the Captcha object's Html value is only added to the page if not already solved (If Not FormCaptcha.IsSolved Then ...)

ProcessLogin.asp

<!-- #include file ="BotDetect.asp" -->
<% 
  Dim form_page : form_page = "Default.asp"
  
  'directly accessing this script is an error
  If Not Request.ServerVariables("REQUEST_METHOD") = "POST" Then
    Response.Redirect form_page
  End If

  ' sumbitted data
  Dim username : username = Request("Username")
  Dim password : password = Request("Password")
  
  ' CAPTCHA user input validation 
  Dim LoginCaptcha : Set LoginCaptcha = (New Captcha)("LoginCaptcha")
  LoginCaptcha.UserInputID = "CaptchaCode"
  If Not LoginCaptcha.IsSolved Then
    Dim isHuman : isHuman = LoginCaptcha.Validate()
    If Not isHuman Then 
      ' CAPTCHA validation failed, show error message
      Response.Redirect form_page & "?Username=" & Server.URLEncode(username) & 
      "&error=Captcha"
    End If
  End If
  
  ' CAPTCHA validation passed, only now do we perform the protected action (try 
  ' to authenticate the user)
  
  ' check login format
  Dim isValidLogin : isValidLogin = ValidateLogin(username, password)
  If Not isValidLogin Then 
    ' invalid login format, show error message
    Response.Redirect form_page & "?Username=" & Server.URLEncode(username) & 
    "&error=Format"
  End If
  
  ' authenticate the user
  Dim isAuthenticated : isAuthenticated = Authenticate(username, password)
  If Not isAuthenticated Then 
    ' authentication attempt failed, show error message
    Response.Redirect form_page & "?Username=" & Server.URLEncode(username) & 
    "&error=Auth"
  End If
  
  
  
  Function ValidateLogin(username, password)
    Dim result : result = False
    '  we check username and password are specified and alphanumeric
    If (Len(username) > 0 And Len(password) > 0) Then
      Dim regEx : Set regEx = New RegExp
      regEx.Pattern = "^[a-zA-Z0-9_]+$" ' alphanumeric chars and underscores only
      result = regEx.Test(username) 
      result = result And regEx.Test(password)
    End If
    ValidateLogin = result
  End Function
  
  Function Authenticate(username, password)
    Dim result : result = False
    ' Since this is a simple example project, we consider all authentication 
    ' attempts with usernames and 
    ' passwords longer than 5 characters valid instead of looking up the info in 
    ' a database etc.
    If (Len(username) > 4 And Len(password) > 4) Then
      result = True
    Else
      ' failing authentication 3 times shows the Captcha again
      Dim count : count = CInt(Session("FailedAuthCount"))
      count = count + 1
      If count > 2 Then
        Call LoginCaptcha.Reset
        count = 0
      End If
      Session("FailedAuthCount") = count
    End If
    Authenticate = result
  End Function
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.Ưorg/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
  <title>BotDetect ASP Classic CAPTCHA Validation: ASP Login Form CAPTCHA Code 
  Example</title>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <link type="text/css" rel="Stylesheet" href="StyleSheet.css" />
</head>
<body>
  <div class="column">
    <h1>BotDetect ASP Classic CAPTCHA Validation: 
    <br /> ASP Login Form CAPTCHA Code Example</h1>
    
    <h2>Protected Page</h2>

    <fieldset id="Properties">
      <legend>Validation passed!</legend>
      
      <div class="input">
        <label for="Username">Username:</label>
        <input name="Username" id="Username" type="text" class="textbox" 
        readonly="readonly" value="<%=Server.HTMLEncode(username) %>" />
      </div>
      
      <div class="input">
        <label for="Password">Password:</label>
        <input name="Password" id="Password" type="text" class="textbox" 
        readonly="readonly" value="<%=Server.HTMLEncode(password) %>" />
      </div>
      
      <p class="navigation">
        <% ' Example only, we want to show the Captcha again when returning to 
        the form
          Call LoginCaptcha.Reset %>
        <a href="Default.asp">Back to login page</a>
      </p>
    </fieldset>
  </div>
</body>
</html>

Form submission validation is performed in this file, which checks all required fields and redirects the user back to the form if validation fails. Captcha validation is treated no different than other field validation.

We also count the number of Captcha validation failures in the authentication function – if the user fails three authentication requests, they are shown a new Captcha which they must solve before continuing. This throttles authentication access, ensuring username + password combinations cannot be brute-forced, while real human users get theoretically unlimited authentication attempts (as long as they don't mind solving further Captchas).

BotDetect\CaptchaConfig.asp

<%

' BotDetect ASP Captcha configuration options
' ---------------------------------------------------------------------------
BotDetect.CodeLength = 4
BotDetect.ImageStyle = BDC_ImageStyles("CaughtInTheNet2")
BotDetect.ImageWidth = 200
BotDetect.HelpLinkMode = BDC_HelpLinkModes("Image")

%>

The ASP Captcha library configuration file defines base Captcha settings for the sample.