Comparison of verification Codes

Today, I want to create a verification code with high security, because recently my website has been spam.
Solution 1: In the past, the company's verification code solution was very primitive, that is, the IMG. src = verifycode. aspx? Code = 4321. 4321 is the number in the image, which is very rogue, because the verification work of the verification code is required by the editing on the client, therefore, the code is directly written on the client in plaintext format. Anyone who writes Regular Expressions in this form can write a robot to send spam.
Solution 2: This is very common on the Internet. net to generate a verification code scheme. The image address points to a page, and the page writes a section of Content-Type IMG to the client, and then writes the cookie to the client. The cookie is encrypted by the server. In this way, when submitting the page, you can post the cookie encrypted string and the verification code entered by the user to the server side for verification. However, the serious disadvantage of this solution is Cookie coverage. This problem is also exposed to several major portals, including Netease, Sina, and SoHo registration or logon. For example, the link:
Http://passport.sohu.com/web/reguser
When you open more than two links and submit them back, the verification code on the page is incorrect. Because the latest cookie already overwrites your previous cookie, the decryption is incorrect. How can we solve this problem? Today I think about the issue of concurrent access verification code conflicts, so we cannot store encrypted data in cookies and sessions. (A friend mentioned that the session is stored in the session, but the session is actually based on cookies, and it is difficult for a large website to perform load balancing. The session will be mentioned below). Therefore, I have a third Verification Code solution.
Solution 3: 1 <% @ Control Language = "C #" autoeventwireup = "true" codefile = "vimg. ascx. cs" inherits = "vimg" %>
2 <input id = "vtext" runat = server/> <asp: image runat = server id = "vimg" imageurl = ""/> <% -- <a href = ''onclick = 'window. location. href = Window. location. href; '> cannot see clearly? </A> -- %>
3 <SCRIPT type = "text/JavaScript" src = "JS/jquery. js"> </SCRIPT>
4 <input type = hidden id = "hvimg" value = "" runat = server/>
5 <SCRIPT>
6window. onload = function (){
7 document. getelementbyid ('<% = vimg. clientid %>'). src = "verifycode. aspx? V = "+ document. getelementbyid ('<% = hvimg. clientid %>'). value;
8}
9 function getimg ()
10 {
11
12 $. Ajax ({
13 type: "Get ",
14 URL: "getnum. aspx? Timestamp = "+ new date (),
15 data :"",
16 success: successfunc
17 });
18
19}
20 function successfunc (MSG)
21 {Debugger
22 $ ("# <% = hvimg. clientid %>"). Get (0). value = MSG;
23 document. getelementbyid ('<% = vimg. clientid %>'). src = "verifycode. aspx? V = "+ document. getelementbyid ('<% = hvimg. clientid %>'). value;
24
25}
26 </SCRIPT>
27 <a href = "javascript: void (0);" onclick = "getimg (); Return false;"> cannot see clearly? </A>
28
29
30
31

The following code explains the encapsulated logon verification user control:
Step 1: randomly generate a four-digit number on the server and encrypt it. The encryption string is assigned to a hidden control, that is, the hvimg in the code.
Step 2: In window. onload, dynamically splice the value of a hidden control in a link page as a query string. This page is verifycode. aspx? V = refers to sending back and forth images.
Step 3: click the link that you cannot see clearly. The client sends an Ajax request to the server to dynamically request an encrypted string, then assigns the value to the hidden control, and dynamically changes the SRC of IMG, and the new verification code image is obtained successfully.
Step 4: Verify on the server, decrypt the value in the hidden control, and verify with the verification code entered by the user. Verify that the input is correct.
Note: getnum. aspx is the Ajax request page. It only returns an encrypted string, which involves the urlencode/decode issue. Please pay attention to it.
Of course, there is a slightly simpler method. The basic idea is to store the encrypted string in hidden, but do not use ajax to dynamically refresh the verification code image, to refresh the page, the whole page is PostBack to the server.
The design is slightly simpler, but the user experience is almost the same.

Why is it designed like this?
1. Prevent the cookie from being overwritten.
2. Prevent the page from being refreshed when the verification code image is dynamically requested.
3. Avoid being identified and spam comments.

In addition, I want to talk about how to store the verification code on the server. csdn is like this (according to my analysis, there is no real evidence ).
You can test: Use IE7, open the csdn page: http://passport.csdn.net/UserLogin.aspx
Open it again in the same tab, and enter the verification code for the second logon on the first page, prompting you That the logon is successful!
Why? Because he stores the verification codes of the two opened pages on the server, such as a hashtable under a session, then, if the user can find the verification code entered by the user in hashtable, the verification code is correct.
However, if IE6 is used for demonstration, why can't we use IE6 for demonstration? Why? Asp.net regards the newly opened two IE6 as different sessions, so that different asp_net_session_id cookie values will be allocated in Asp.net. If you do not believe this, you can use Fiddler to track and view cookies. Since it is regarded as different sessions, the hashtable in the session is different. Of course, the demo is not successful.
In addition, Sina has made a special verification code. You can also listen to the Verification code. You can look at this link and enter the verification code at the end of the page. There is a link, which is "Listen to the Verification Code".
Http://blog.sina.com.cn/s/blog_57ebc672010089rx.html
However, the verification code I listened to later was inconsistent with the actual image verification code, haha.

I have studied the verification code today. I hope you can share your solutions with us.
If you want the source code of the third solution, you can leave a message for me. I have not sorted it out yet and will provide it later.