[RESOLVED] [2005] Using ashx, session state, and security

[Ms.Longstocking]

I'm implementing a handler(.ashx) to display a randomly generated captcha image on my registration screen.

From within the .ashx, a random string of characters is generated and displayed as an image on the registration page:
<img alt="" src="Captcha.ashx" />

Once displayed, the user has to enter the values of what they think they see in a textbox.

From within the handler, I declared a session variable Session("captchastring") and planned to match this value with the value entered in the textbox. No dice.

It seems the Session value declared when the .ashx is run the first time only becomes available to the calling aspx page upon a postback.

Then I got to thinking whether I was going about this all wrong....

I could use a suggestion or two on how to proceed keeping security in mind.

[mendhak]

What's the problem? If you explained it, I don't think I understood.

[Ms.Longstocking]

My registration page includes the use of a captcha image to thwart belligerent bots.

the image is displayed through the use of a handler (.ashx)
<IMG src="handler.ashx" alt="" />

The handler creates the image as follows:
1) generates random string
2) takes this string and turns it into image, skews image
3) displays image
4) creates session variable [equal to the string of characters in the image]

Now, back on my aspx registration page:
The captcha image is displayed and the user must enter the characters he/she thinks he/she sees in a textbox.

The textbox.text values are checked against the string found in the aforementioned session variable. If it matches, validation is pass and the user may continue.

My question is: Is this approach secure? Is passing the value that is to be checked via session good programming? Would it be an option to instead store the string variable (encrytped) inside a DB and then make a call to the DB for the comparison test? Is this overkill? Inefficient? It's my first time around the block doing this and I do not know what the best approach would be.

[timeshifter]

Set the Session mode to sqlserver, and it will store everything on the server for you. nothing stored locally.

[Ms.Longstocking]

Are we talking a change to the web.config file like so:

<sessionState
mode="SQLServer"
sqlConnectionString="data source=127.0.0.1;user id=<username>;password=<strongpassword>"
cookieless="true"
timeout="20"
/>

[mendhak]

My question is: Is this approach secure? Is passing the value that is to be checked via session good programming? Would it be an option to instead store the string variable (encrytped) inside a DB and then make a call to the DB for the comparison test? Is this overkill? Inefficient? It's my first time around the block doing this and I do not know what the best approach would be.

Yes. Yes. Yes. Yes. No.

In more words, you can do it, but your current approach is fine. And relevant.

[Ms.Longstocking]

Thanks Mendhak!

I appreciate the green thumbs up!! It's very reassuring for me.


Kind Regards,
-MPippz

[mendhak]

Whenever I want reassuring, I make myself a console application. Ha ha!! Get it? Console... console.

uhm... yeah. sorry. Good luck.