InfoQ interviewed Vyacheslav Volkov, creator of CaptchaMvc, about his project and the future of captcha’s in general.
InfoQ: What prompted you to create your own captcha library?
At that time, I was starting to work with MVC 3 framework. I needed to use the captcha in my project and I started looking for a solution that could solve my problem. All that I was able to find worked only for MVC 2, or not worked at all. After these searches I wrote my own captcha implementation, and so appeared the first version of CaptchaMvc library. This version was simple enough, but even then, it was in demand.
InfoQ: How does CaptchaMvc differ from other captcha libraries?
CaptchaMvc is a flexible and easy solution that can solve all problems associated with captcha in your project. All you need is to add a library to your project, and the captcha is ready to work. It has everything you need for working with captcha:
- Has two types of captcha, plain and mathematical.
- Supports for storing captcha in the session or cookie.
- Supports the "intelligent captcha".
- The ability to easily extend the default implementation.
The project is constantly evolving and I try to provide support to all who ask. I think that those are the main things that distinguish it from other projects.
InfoQ: Do you foresee a time when captchas are no longer necessary? Or perhaps no longer effective?
We all dream of those times. Protection against bots will always be needed the captcha is just one of the ways that protection. There are various techniques that don’t use the captcha. For example, some developers create a “fake” input field and make it hidden for the user, and when a bot will try to fill a form, it probably will fill the field.
Even now, it is difficult to say that the captcha is effective protection against spam, there are many services that allow to bypass the captcha. The captcha only allows increasing the protection of your site against the bots, but it is not able to protect fully.
InfoQ: You list support for ASP.NET MVC 3, 4, and 5. Is there really that much difference between each version?
There are almost no differences between versions, only with MVC 4 was added the AllowAnonymousAttribute that is used in the library.
InfoQ: If you could change anything about ASP.NET MVC’s plugin/library support, what would it be?
The ASP.NET MVC is awesome web framework, I like the architectural solutions used in it. There is one thing in ASP.NET Web API that I do not like, it is not able to read the contents of the request more than once. I know that by design, the body content in ASP.NET Web API is treated as forward-only stream that can be read only once, but sometimes it gives a great inconvenience.
There are many things that I would like to change in WPF\Silverlight\XAML, but it is a theme for another interview.
InfoQ: What is the "intelligent captcha" and how does it differ from a normal captcha?
The basic idea is to make the captcha friendlier for the user, in the best case so that the user never saw the captcha. There are various techniques to make the captcha friendlier. For example, there is technique known as "the fake input field". The CaptchaMvc supports a variety of techniques to distinguish user from a bot. I tell you briefly about each of them:
- Fake input (class name - FakeInputIntelligencePolicy) – uses a “fake” input field, is what I wrote before.
- JavaScript (class name - JavaScriptIntelligencePolicy) – tries to check whether the user has JavaScript enabled, if JavaScript is disabled the user will have to enter a captcha.
- Response time (class name - ResponseTimeIntelligencePolicy) - allows you to set the time during which the captcha will not be considered valid. Assuming a robot requests a form, fills it in and submits it ... the time between page loads and submit maybe less than a second - which no human could do.
- A combination of several (class name - MultiIntelligencePolicy) - allows you to combine different policy into one.
I want to give an example of code that allows you to set the “intelligent captcha”, here is an example of code that I use on my website:
CaptchaUtils.CaptchaManager.IntelligencePolicy = new MultiIntelligencePolicy(
new FakeInputIntelligencePolicy(),
new JavaScriptIntelligencePolicy(),
new ResponseTimeIntelligencePolicy(TimeSpan.FromSeconds(3)));
InfoQ: Is this a “done” project or is there more you think CaptchaMvc should do.
Now, I write a new version that will support the ASP.NET Web API. Currently, it is all the changes that I plan, but in the future things can change, and I will add something else.