Use the nobot control in ASP. NET Ajax Control Toolkit to reject spam publishing programs

This article is from my upcoming ASP. NET AjaxProgramDesign the I-volume Server ASP. NET Ajax extensions and ASP. NET Ajax Control Toolkit (tentative name) Chapter 10th section 1st. Please give your suggestions and comments.

10.1Nobot: Reject bot programs

The nobot control can provide CAPTCHA [NOTE 1]-Like authentication for forms on the page without any user operation to prevent robots from automatically submitting junk information.

10.1.1Application scenarios

Junk Information on the Internet seems to be everywhere. It used to be spam and advertisement. Now, these pervasive spam publishers are eyeing major websites on the Internet. Various robot programs (BOTS) have emerged. They can automatically crawl on the network and search for pages with the comment or message function, and then automatically fill in the form and submit it, the quantity and quality of spam information submitted by traditional manual publishers are even worse. Managers often find that their websites have already had thousands of advertisements overnight, which not only overwhelmed the real useful information, but also overwhelmed the website's performance.

As a result, many solutions have emerged, and the most famous ones are various verification images. The text in the verification image is randomly generated by the computer and distorted, modified, and blurred as much as possible, the ultimate goal is that only smart humans can analyze the content (as shown in 10-1), while the current level of computers can only look at the "Graph" to sigh. Then, the user's recognition text for this image is sent to the server along with the form. In this way, the server can determine whether this is done by humans by checking whether the recognition text entered by the client is correct or not, thus achieving the purpose of distinguishing robot programs from humans.

Figure 10-1 extremely complex verification Image

So far, this approach is very effective because the development of computer image processing capabilities is not enough to fully identify the text in such a complex image. But the disadvantages of doing so are also obvious-trouble! Every time you submit a form, you need to carefully open your eyes to identify and verify the content in the image, and enter a string of meaningless and non-coherent characters, which is really a pain! In addition, for people with impaired vision, such verification images are even more difficult.

As a result, some websites provide another option, that is, for people with impaired eyesight, you can choose to read a paragraph and enter the letters you have read, distinguish humans and computers by voice, such as the Hotmail registration page, as shown in Figure 10-2.

Figure 10-2 distinguish humans from computers by recognizing sounds

This seems to have taken into consideration ...... However, if a user does not know English, isn't it still usable? There are so many languages in the world, do you want to provide the version of each language? Moreover, even if all the language versions are provided, this fatal problem still cannot be solved!

Is there a solution to verify robot programs completely and transparently to users without user operations? The nobot control provided in ASP. NET Ajax Control Toolkit provides such a relatively compromise solution.

10.1.2Declaration syntax and common attributes

The nobot control can accurately determine whether the current operation is human in the following four ways:

1. Let the client browser execute a piece of JavaScript and determine its execution result. Generally, robots only obtain the content of an HTTP stream, analyze it, enter the form, and then submit it. This process does not include the use of browser functions, it will not parse and run the JavaScript on the page to get the correct running result. And this javascript can be a simple pure mathematical operation, such as 123*4455 = ?, It can also be a complex Dom operation, such as dynamically creating a <div> and returning its location. In this way, the program can only be used in the browser, and most robot programs obviously cannot return to the day for such computation.
2. Determine whether the client saves the session status. Generally, only the browser pays attention to and saves the session status, while a simple robot program completely ignores the session status information.
3. Determines the time interval between the client's acceptance of the page and the submission of the form. Robots focus more on "efficiency". With the powerful computing power of computers, they can complete the form filling and submit the form to the server almost instantly after receiving the page. For humans, it is obviously impossible to complete such a complex form within a few seconds.
4. Determines the number of times a client has submitted within a certain period of time. Similarly, for humans, being incapable is meaningless, for example, entering the same form 100 times in one minute. For robots, this is likely to be their consistent style.

Although the above four methods cannot completely stop robots, they are very effective and accurate in most cases. The biggest advantage of using this method is that it saves the need for user interaction and makes the program more friendly and easy to use.

The nobot control is completely invisible on the page, which seems to have nothing to do with the dazzling Interface Effects of the Ajax program in our subconscious. However, from the perspective of enhancing user experience, nobot is indeed a major improvement, and it is in line with the most fundamental design goal of Ajax-to improve user experience.

The syntax for declaring the nobot control is similar to the following:

 
<Ajaxtoolkit: nobot
 

ID= "Nobot"
 

 
Runat= "Server"
 

 
Responseminimumdelayseconds= "2"
 

 
Cutoffwindowseconds= "60"
 

 
Cutoffmaximuminstances= "5"
 

 
Ongeneratechallengeandresponse= "Nobot_generatechallengeandresponse" />
 

The nobot control inherits from system. web. UI. webcontrols. compositecontrol and indirectly inherit from system. web. UI. webcontrols. webcontrol has all the attributes, methods, and events of these controls. Attribute labels commonly used to declare nobot controls are shown in Table 10-1.

Table 10-1 common attribute labels for nobot control declaration [NOTE 2]

1. Responseminimumdelayseconds: The interval between a reasonable client receiving the page and submitting the form, in seconds. The submission within this period of time will be considered by the robot.
2. Cutoffwindowseconds: Specifies a window time period for calculating the number of submissions of the same client, in seconds. The number of submissions within this time period exceeds the value specified by cutoffmaximuminstances.
3. Cutoffmaximuminstances: Specifies the maximum number of submissions of the same client in a window. The number of submissions within the time range specified by cutoffwindowseconds exceeds this value.
4. Ongeneratechallengeandresponse: Specifies the processing function of the generatechallengeandresponse event. In this event processing function, we can set the JavaScript code to be executed by the browser and the expected execution result. If the browser's execution results do not match the expected results, this submission will be considered by the robot.

 

10.1.3Example program: block robot program submission

Although the nobot control is relatively simple to set, it is not easy to configure it reasonably. The inspection standards are too high or too low to meet our expectations. Next, let's use an example program to analyze and discuss how to use the control.

First, add the scriptmanager control to the new page, and then add a textbox and a button to simulate the simplest input form, and then add a label, information used to show whether the robot program has passed the detection:

<ASP: textbox ID= "Tbsomething" Runat= "Server"> </ASP: textbox> 
 

 
<ASP: button ID= "Btnsubmit" Runat= "Server" Text= "Submit" /> 
 

 
<ASP: Label ID= "Lbresult" Runat= "Server"> </ASP: Label> 
 

The following is the declaration of the nobot control:

 
<Ajaxtoolkit: nobot ID= "Nobot" Cutoffwindowseconds= "10" Cutoffmaximuminstances= "2" 
 

 
Responseminimumdelayseconds= "2" 
 

 
Ongeneratechallengeandresponse= "Nobot_generatechallengeandresponse" 
 

 
Runat= "Server" />
 

Let's take a look at the responseminimumdelayseconds attribute. In this example, because the form is very simple and has only one field, we set it to a shorter 2 (second ). In actual development, we should estimate the time required for users to fill in the form based on the complexity of the form, and configure the attribute accordingly. For example, for a complex user registry ticket in Hotmail, set the attribute value to 100 seconds for less than 100 seconds. The registration page can be filled in within seconds, in addition to robots, it is only a genius.

For the cutoffwindowseconds attribute, we set it to 10 (seconds ). The larger the attribute value, the longer the statistical period, and the more convincing the judgment result. However, this will also lead to a larger overhead on the server. Generally, setting this attribute to 10-100 is a reasonable choice.

For the cutoffmaximuminstances attribute, here we set it to 2 (times), combined with the cutoffwindowseconds attribute, meaning that the same client can submit up to 2 times within 10 seconds, more than this number of submissions are considered as robots. When setting this attribute, we also need to consider the complexity of the form and estimate the time required by the user.

For the ongeneratechallengeandresponse attribute, that is, the processing function of the generatechallengeandresponse event, we will set the JavaScript to be executed by the browser and the expected results. Here we specify it as nobot_generatechallengeandresponse (), the function name does not matter, so developers can understand it. The signature of the event processing function is as follows:

 
Protected VoidNobot_generatechallengeandresponse (ObjectSender, noboteventargs E)
 

Note that the parameter E of the type noboteventargs will be used later. In this function, we dynamically generate a random <div> and add it to the DOM tree of the page, and save the long and wide product of the <div> as the expected value. At the same time, a piece of JavaScript will be written to the page, which is used to locate the <div> and get the product of its length and width when the client is running. In this way, after page delivery, the nobot control can determine whether the client is a real browser by comparing the expected value with the actual value obtained from the client, and then determine whether the client is a robot.

In the nobot_generatechallengeandresponse () method, first create an ASP. Net panel and select Panel because the control will be rendered as an HTML <div> element to get its length and width attributes:

 
Panel nobotpanel =NewPanel ();
 

Next, generate two random numbers and set them to the length and width attributes of the Panel respectively:

 
Random Rand =NewRandom ();
 

 
IntWidth = Rand. Next (80 );
 

 
IntHeight = fig (120 );
 

Then, specify a random ID for the panel, and specify the ID so that the generated <div> can be obtained from the client in the subsequent JavaScript, the random ID is used to make the program more uncertain and further confuse the robot program:

 
Nobotpanel. ID =String. Format ("Nobotpanel {0 }", Rand. Next (1000 ));
 

Then, apply the length and width generated above to the Panel:

 
Nobotpanel. width = width;
 

 
Nobotpanel. Height = height;
 

To avoid interfering with the existing layout of the page, we also need to set the style of the Panel to hide it:

 
Nobotpanel. style. Add (htmltextwriterstyle. Visibility,"Hidden");
 

 
Nobotpanel. style. Add (htmltextwriterstyle. position,"Absolute");
 

Note that the first sentence is actually set visibility: hidden;, instead of the commonly used display: none ;. If the latter is selected, the browser determines that the size is 0.

Then add the panel as a subcontrol of nobot to avoid the possible impact on the page structure:

 
(SenderAsNobot). Controls. Add (nobotpanel );
 

Then set the JavaScript code for the validation that will be executed in the browser:

 
E. challengescript =String. Format ("Var nobotpanel = Document. getelementbyid ('{0}'); nobotpanel. offsetwidth * nobotpanel. offsetheight ;", Nobotpanel. clientid );
 

Note that this section of JavaScript will first get the reference of its actual <div> element through the Client ID of the Panel at runtime, then use offsetwidth and offsetheight to get its actual size, and return its product. This section of JavaScript is assigned to E. challengescript, that is, the challengescript attribute of the noboteventargs type object.

Finally, it is very easy to set the expected running result of the above section of javascript:

 
E. requiredresponse = (width * Height). tostring ();
 

It should be noted that the expected running result should be assigned to E. requiredresponse, that is, the requiredresponse attribute of the noboteventargs type object.

In this way, if the client is a real browser, the JavaScript code set in E. challengescript will be executed normally, and the expected results exactly the same as those in E. requiredresponse will be returned as expected. If the two do not match, the client is considered to be a bot program that ignores JavaScript.

Complete nobot_generatechallengeandresponse ()CodeAs follows:

 
Protected VoidNobot_generatechallengeandresponse (ObjectSender, noboteventargs E)
 

 
{
 

Panel nobotpanel =NewPanel ();
 

 
Random Rand =NewRandom ();
 

 
IntWidth = Rand. Next (80 );
 

 
IntHeight = fig (120 );
 

 
Nobotpanel. ID =String. Format ("Nobotpanel {0 }", Rand. Next (1000 ));
 

 
Nobotpanel. width = width;
 

 
Nobotpanel. Height = height;
 

 
Nobotpanel. style. Add (htmltextwriterstyle. Visibility,"Hidden");
 

 
Nobotpanel. style. Add (htmltextwriterstyle. position,"Absolute");
 

 
(SenderAsNobot). Controls. Add (nobotpanel );
 

 
E. challengescript =String. Format ("Var nobotpanel = Document. getelementbyid ('{0}'); nobotpanel. offsetwidth * nobotpanel. offsetheight ;", Nobotpanel. clientid );
 

 
E. requiredresponse = (width * Height). tostring ();
 

 
}
 

Next, we also need to write the page_load () function, where we will use the nobot Control for verification. Because verification is necessary only during the delivery, we ignore the first page loading:

 
Protected VoidPage_load (ObjectSender, eventargs E)
 

 
{
 

 
If(Ispostback)
 

 
{
 

......
 

 
}
 

 
}
 

We will compile our verification code when the above Code meets the ispostback condition. Create a nobotstate type enumeration, and the verification result of the nobot control will be stored in this enumeration:

 
Nobotstate state;
 

The nobotstate enumeration has the following optional values:

1. Valid: Indicates that the verification is successful.
2. Invalidbadresponse: Indicates that the running result of the preceding custom Javascript script (E. challengescript) is inconsistent with the expected result (E. requiredresponse), and verification fails.
3. Invalidresponsetoosoon: Indicates that the time when the client completes the form is less than the time specified by responseminimumdelayseconds. verification fails.
4. Invalidaddresstooactive: Indicates that the number of requests requested by the client in the window specified by cutoffwindowseconds exceeds the number specified by cutoffmaximuminstances, and verification fails.
5. Invalidbadsession: Indicates that the session status verification failed. It may be because the client did not save the session Status and the Verification Failed.
6. Invalidunknown: Unknown error. Verification Failed.

Then pass the reference of the nobotstate enumeration to the isvalid () method of the nobot control. This method returns a Boolean value, indicating whether the verification is successful. At the same time, the passed nobotstate will also be set to the corresponding enumerated value. In this way, we can determine whether the verification is successful by distinguishing the return value of the isvalid () method, and perform the following operations:

If(Nobot. isvalid (OutState ))
 

 
{
 

 
......
 

 
}
 

 
Else
 

 
{
 

 
......
 

 
}
 

When the verification is passed, we will provide an exemplary prompt:

 
Lbresult. Text ="Your information has been submitted! ";
 

If verification fails, a detailed error message is also displayed:

 
StringErrormessage =String. Empty;
 

 
Switch(State)
 

 
{
 

 
CaseNobotstate. invalidaddresstooactive:
 

 
Errormessage ="This IP address has submitted too many requests in a short time. ";
 

Break;
 

 
CaseNobotstate. invalidbadresponse:
 

 
Errormessage ="The browser detects that the script is not running or the running result is incorrect. ";
 

 
Break;
 

 
CaseNobotstate. invalidbadsession:
 

 
Errormessage ="ASP. NET session status is unavailable. ";
 

 
Break;
 

 
CaseNobotstate. invalidresponsetoosoon:
 

 
Errormessage ="The interval between two delivery requests is too short. ";
 

 
Break;
 

 
CaseNobotstate. invalidunknown:
 

Errormessage ="Unknown error. ";
 

 
Break;
 

 
}
 

 
Lbresult. Text =String. Format ("Request rejected. Reason: {0 }", Errormessage );
 

For demonstration purposes, the above Code is so patient to explain the reasons one by one. In actual applications, we do not need to be so "friendly", simply prompt "suspicious robot program", or simply use response. end () ends this http session, giving the robot a color, so as not to let it know more about nobot implementation details in our program.

For reference, the complete code of the page_load () function is listed below:

 
Protected VoidPage_load (ObjectSender, eventargs E)
 

 
{
 

 
If(Ispostback)
 

 
{
 

 
Nobotstate state;
 

If(Nobot. isvalid (OutState ))
 

 
{
 

 
Lbresult. Text ="Your information has been submitted! ";
 

 
}
 

 
Else
 

 
{
 

 
StringErrormessage =String. Empty;
 

 
Switch(State)
 

 
{
 

 
CaseNobotstate. invalidaddresstooactive:
 

 
Errormessage ="This IP address has submitted too many requests in a short time. ";
 

 
Break;
 

CaseNobotstate. invalidbadresponse:
 

 
Errormessage ="The browser detects that the script is not running or the running result is incorrect. ";
 

 
Break;
 

 
CaseNobotstate. invalidbadsession:
 

 
Errormessage ="ASP. NET session status is unavailable. ";
 

 
Break;
 

 
CaseNobotstate. invalidresponsetoosoon:
 

 
Errormessage ="The interval between two delivery requests is too short. ";
 

 
Break;
 

CaseNobotstate. invalidunknown:
 

 
Errormessage ="Unknown error. ";
 

 
Break;
 

 
}
 

 
Lbresult. Text =String. Format ("Request rejected. Reason: {0 }", Errormessage );
 

 
}
 

 
}
 

 
}
 

This completes the sample program, compiles and views the page in the browser, as shown in 10-3.

Figure 10-3 initialized form

Enter some text in the text box and make sure that you wait 2 seconds before submitting the page. You will see "your information has been submitted !" Verification pass information, as shown in Figure 10-4.

Figure 10-4 Verification passed

Click Submit again quickly (within 2 seconds) and you will see "the request is rejected, the reason: the interval between the two replies is too short ." Verification failure information.

Figure 10-5 Verification failed because the interval between the two replies is too short

If the request is submitted more than twice in 10 seconds, the "request is rejected because the IP address has submitted too many requests in a short time ." Verification failure information.

Figure 10-6 Verification Failed if too many requests are submitted for the same IP address in a short time

If Javascript is disabled in the browser, "the request is rejected, because the browser detects that the script is not running or the running result is incorrect ." Verification failure information.

Figure 10-7 check that the script is not running or the running result is incorrect in the browser. Verification Failed.

 

10.1.4FAQs and tips

Can nobot completely replace traditional verification images?

No. According to the current computer technology, image verification will always be the most accurate and irreplaceable best way to identify robots and real users. Robot programs can simulate and cleverly bypass the judgment rules adopted by nobot controls in some way. The nobot control requires too much statistics, such as the number of submissions of each IP address in a certain period of time and the submission interval of each page, which also affects the server execution efficiency to some extent. At the same time, if the nobot control is improperly configured or the user uses Some browsers that do not support JavaScript (such as browsers on mobile devices), it will easily lead to a high false judgment rate or even failure to pass verification, this affects the user experience.

If the configuration is proper and the server side has abundant resources, the nobot control has obvious advantages. Therefore, when selecting an appropriate verification method, the above problems should be carefully considered based on the actual application scenarios, and appropriate decisions should be made.

How do I select the JavaScript code to force the browser to execute, that is, challengescript?

This section of JavaScript is difficult to debug, so it should be as simple as possible. At the same time, in order to avoid the successful prediction of robots, there must be considerable uncertainty. As a result, the method used to create <div> and check the product of its height and width demonstrated in the preceding example is very suitable: It is simple enough and random, enough to make robots unpredictable.

[1] CAPTCHA is completely automatic public Turing test to tell computers and humans apart (fully automated public Turing test), which aims to allow computers to generate programs that distinguish computers from humansAlgorithmSuch programs must be able to generate and evaluate tests that humans can easily pass but computers cannot pass. Currently, common verification images belong to CAPTCHA. For more information, visit the "the CAPTCHA Project" Website: http://www.captcha.net /.

[2] The ID attribute plays the role of the control identifier. We are all very familiar with it, but it is not mentioned here. The same below.