Pure client-side Captcha validation (without any communication with the server) is not supported by BotDetect, since such a Captcha is trivial to bypass, and doesn't provide any serious protection from bots. For example:
- You want users to post comments only if they have successfully solved the Captcha.
- So the spammer only needs to solve the Captcha once, and note how you handle the result: e.g. sending a specific POST parameter, or redirecting to a specific page.
- After that, they can simulate the same behavior in their bot and bypass the Captcha completely – by simply faking the POST parameter, or accessing the redirection landing page directly.
- You can back the client-side Captcha validation by also validating the same user input on the server once the page is posted and before recording the user comment.
- But since you are keeping the correct Captcha solution on the client for validation, bots can have easy access to that code and then always solve the Captcha correctly.
The exact details would of course depend on your specific use-case and Captcha integration scenario. But essentially, all client-side code is insecure and can be faked or modified by malicious parties. As a consequence, Captcha codes must only be kept on the server, and all Captcha validation must be performed on the server as well.
You can avoid full form submissions by using Ajax to make asynchronous Captcha validation requests to the server, and processing the result on the client:
- When Ajax Captcha validation fails, you can show the user a new Captcha image without affecting the rest of the page, thus improving the user experience and overall usability of the page.
- You should always change the Captcha code in such cases, since allowing multiple attempts at solving the same Captcha makes OCR guessing much easier.
- When Ajax Captcha validation succeeds, you should then submit the page to the server and validate the user Captcha input again.
- Only after successful server-side Captcha validation should you execute the "protected" operation (e.g. record the user comment) on the server.
BotDetect supports a variety of Ajax Captcha validation options, and includes a number of related examples for the available platforms.
BotDetect ASP.NET CAPTCHA Client-Side API Reference
BotDetect ASP.NET Captcha client-side functionality is encapsulated in the
BotDetect Prototype Reference
The main client-side BotDetect prototype (accessible on the whole page using
BotDetect.<member_name>) exposes several global functions and constants.
Captcha Object Reference
BotDetect client-side object instances expose all Captcha workflow functions and values, as well as several Captcha life-cycle events. These objects can be accessed in your client-side scripts:
this.<member_name>within member functions and custom event handlers.
E.g. if you register a function as a custom handler for the
PreReloadImageBotDetect event, you can access the BotDetect client-side object within that function using
Captchacustom property of the textbox DOM element registered as the Captcha code input.
E.g. if your server-side code specifies
SampleCaptcha.UserInputClientID = "CaptchaCodeTextBox", your client-side code can access Captcha functionality through the textbox element:
Or, if you're using jQuery and (for example) added a
"captchaVal"CSS class to the Captcha code textbox, you can use: