Mads Kristensen

My personal blog about everything tech

On a website with the ability for users to logon, it is a good idea to have some sort of password policy. The most widely used contains minimum requirements for the length of the password and that the individual characters must be a mixture of numbers, letters and special characters. This is pretty much standard and they make it much more difficult to break into your system.

Eventually, these passwords will be broken and for a brute force robot it’s only a matter of time. That’s why it is a good idea to protect against brute force attacks by limiting the number of retries you can take to login if you forget the right password.

I’ve written a few methods that limits the number of retries to 5. When the fifth bad attempt to logon is reached, you are unable to login to the user account for five minutes. No other users are affected, only the one that is being brute forced.

The Code


private int NumberOfLogonAttemps()

{

  if (Cache[txtUserName.Text] == null)

    return 0;

 

  return (int)Cache[txtUserName.Text];

}

 

private void ClearLogonCounter()

{

  if (Cache[txtUserName.Text] != null)

  {

    Cache.Remove(txtUserName.Text);

  }

}

 

private void CountLogonAttempt()

{

  if (Cache[txtUserName.Text] == null)

  {

    Cache.Insert(txtUserName.Text, 1, null, Cache.NoAbsoluteExpiration, TimeSpan.FromMinutes(5));

  }

  else

  {

    int tries = (int)Cache[txtUserName.Text];

    Cache[txtUserName.Text] = tries + 1;

  }
}

Example of use

To use these three methods you have to call them from the logon buttons click event handler.

protected void BtnLoginClick(object sender, EventArgs e)

{

  CountLogonAttempt();

  if (NumberOfLogonAttemps() > 5)

  {

    Status.InnerHtml = "User has been locked for 5 minutes";

  }

  else

  {

    ClearLogonCounter();

    LogOn();

  }
}

This is very simple to implement and should it become an issue to logon for the users, you can raise the threshold to 10 retries.

We probably all know about the annoying captcha images that a lot of blogs uses for separating humans from machines (spam robots). I use a captcha image to avoid comment spam on this blog because I get a lot, but I really don’t like to use it. I don’t like the fact that it makes is more difficult for my visitors to write comments, which is my only way of measuring the quality of the individual posts.

What I want is an invisible unobtrusive captcha method that automatically makes sure the user is human. So I wrote a simple method that does just that. It works by adding a small JavaScript to the page that adds a hidden form field when the form is submitted. The value of the hidden field must be the same as a server-side variable to validate. There must also be a property that returns a Boolean value that indicates whether or not the user is human.

/// <summary>

/// Initializes the captcha and registers the JavaScript

/// </summary>

private void InititializeCaptcha()

{

  if (ViewState["captchavalue"] == null)

  {

    ViewState["captchavalue"] = Guid.NewGuid().ToString();

  }

 

  System.Text.StringBuilder sb = new System.Text.StringBuilder();

  sb.AppendLine("function SetCaptcha(){");

  sb.AppendLine("var form = document.getElementById('" + Page.Form.ClientID + "');");

  sb.AppendLine("var el = document.createElement('input');");

  sb.AppendLine("el.type = 'hidden';");

  sb.AppendLine("el.name = 'captcha';");

  sb.AppendLine("el.value = '" + ViewState["captchavalue"] + "';");

  sb.AppendLine("form.appendChild(el);}");

 

  Page.ClientScript.RegisterClientScriptBlock(GetType(), "captchascript", sb.ToString(), true);

  Page.ClientScript.RegisterOnSubmitStatement(GetType(), "captchayo", "SetCaptcha()");

}

 

/// <summary>

/// Gets whether or not the user is human

/// </summary>

private bool IsCaptchaValid

{

  get

  {

    if (ViewState["captchavalue"] != null)

    {

      return Request.Form["captcha"] == ViewState["captchavalue"].ToString();

    }

 

    return false;

  }
}

Examples of use

To use the captcha you have to call InitializeCaptcha from the Page_Load handler. Then just check the IsCaptchaValid property before you save the comment.

protected void Page_Load(object sender, EventArgs e)

{

  InititializeCaptcha();

}

 

/// <summary>

/// Handles the submit buttons onclick event

/// </summary>

void btnSave_Click(object sender, EventArgs e)

{

  if (IsCaptchaValid)

  {

    SaveComment();

  }
}