Captcha should change on invalid input

[ajahangard]

Hi,

I think there is a security issue with this implementation. Captcha image should change on invalid input so the user be unable to try multiple times. In your demos, there are samples of Captchas to sum two numbers. It's easy to pass the validation by brute forcing because the image captcha value does not change on invalid input.

[VahidN]

• If the user posts the form to the server, set the captcha's text to empty to redraw it.
• If you are talking about rate limiting, you can use the AbsoluteExpiration parameter to control the refresh frequency of the captcha.
• Also using the Compare attribute is not mandatory. It will make the whole process nicer, but you can omit it and then do the comparison manually on form's submit (if (userLoginViewModel.CaptchaText.Equals(userLoginViewModel.EnteredCaptcha)){}). Now if the inputs don't match, redraw the captcha with the new data.

[ajahangard]

Yes, I think the third statement is the solution. One should not use Compare to validate. Thank you