I'm implementing a handler(.ashx) to display a randomly generated captcha image on my registration screen.

From within the .ashx, a random string of characters is generated and displayed as an image on the registration page:
<img alt="" src="Captcha.ashx" />

Once displayed, the user has to enter the values of what they think they see in a textbox.

From within the handler, I declared a session variable Session("captchastring") and planned to match this value with the value entered in the textbox. No dice.

It seems the Session value declared when the .ashx is run the first time only becomes available to the calling aspx page upon a postback.

Then I got to thinking whether I was going about this all wrong....

I could use a suggestion or two on how to proceed keeping security in mind.