C# Implementation for .NET 2.0
Adrian Godong
--
Adrian Godong
adrian...@gmail.com
Microsoft MVP
https://mvp.support.microsoft.com/profile/Adrian
reCAPTCHA Support
This is nice, just a few comments:
- Joseph found that he needed to use HTTP 1.0 (setting ProtocolVersion) he wrote to me:
> > 2) When I call the verify service from the asp.net server, I get an exception that states: "The remote server returned an error: (417) Expectation Failed." I'm
> > able to work around it by adding this setting to my Web.config:
> > <servicePointManager expect100Continue="false" />
> > However, I'd like to avoid asking people to make that configuration change if possible. Do you have any idea as to how you can compensate for this at the verify
> > server? You can find a little more information about this here: http://msdn2.microsoft.com/en-us/library/system.net.servicepointmanager.expect100continue.aspx* - Joseph also had an issue with the user's IP address being returned in ipv6 style on Vista.
> > 1) Testing against localhost on my Vista machine reports the remote IP as ::1. Not sure if this is an oddity of vista, or having IPv6, or what, but thought you
> > might find that useful to know. Currently, in the source for the validator, if the remote IP is ::1, I just send " 127.0.0.1" - I'm a bit worried about this code:
String postData = String.Format("privatekey={0}&remoteip={1}&challenge={2}&response={3}",
this.PrivateKey,
this.Page.Request.UserHostAddress,
this.Context.Request.Form[RECAPTCHA_CHALLENGE_FIELD],
this.Context.Request.Form[RECAPTCHA_RESPONSE_FIELD]);
I think we should consider url encoding the challenge & response (I'm not sure if this could be used to make an attack... but it's just a bit worrying) - Generally, it's good to not call the reCAPTCHA server if the challenge or response is empty -- many spammers make submissions like this and it makes things faster for everybody to not make a call to our servers.
- Joseph's plugin set IsSecure automatically
reCAPTCHA: stop spam, read books
http://recaptcha.net
Adrian Godong
reCAPTCHA Support
Ok, I'm running a Windows XP machine and there's no need for HTTP 1.0.I'm running Vista at home, so I'll try that too (maybe it's already improved in 2.0, but I've seen Joseph's code for handling IPv6). But then, it should be the problem for reCPATCHA servers because validation (and matching) between user request and server submission is handled there. IMO, you shouldn't support IPv6 just yet, since no one is using that (other than that LANs and research groups). The only way to do this is that servers should run IPv4 only (this way, users don't need to worry about anything because requests will come through IPv4 address).
The issue with IPv6 is that on vista, IIS returns "::1" as the IP address if you make a request from localhost.
Requests to reCAPTCHA servers are encoded in UTF8 (it's the line after string generation). I can implement a pre-request validations (return incorrect if empty, etc.)
I'm worried about somebody making a response:
foo&a=b
the "a=be" would be passed to our scripts as a parameter.
I've also implemented a manual IsSecure since I don't know how does secure pages are served. Do you need to code anything or just set config? If code then it's not a big deal, if it's over config, then I'll implement automatic checking based on protocol (just like Joseph's) or based on something else (don't know right now).
The only change for secure pages is that you need to fetch the page from:
https://api-secure.recaptcha.net
This is needed only if the aspx page is served over https, which is why Joseph's code is nice (it checks the current protocol).
Anyone has opinion about proxy support? I mean do you have web servers running behind proxy for external requests? If it does, we might need to eval this scenario.
Arun
control. This is my first piece of .NET code, so I'm sure I might
wrong on a number of counts. But I thought, I might share my
experiences.
BTW I'm developing the user control using C# on Windows XP SP2
with .NET 2.0
I had the same 417 Expectation Failed error as Adrian. It seems like
the .NET API adds an 'Expect' HTTP Header when a POST request is used.
So I added some code to suppress this:
request.ServicePoint.Expect100Continue = false;
However, I ran into some other problems when trying to validate the
solution as the server was, according to .NET, closing the connection
prematurely. Looking at the server headers returned by the validation
server it appears that it is using HTTP/1.0, so the closing of the
connection isn't surprising in that context.
So I now use HTTP/1.0 instead of the default, and it don't need to
suppress the Expects header anymore as that is an HTTP/1.1 feature.
I'm using Windows XP, so I'm a bit surprised that Adrian says that
there is no need to use HTTP/1.0, as the server headers clearly
indicate that the server speaks HTTP/1.0
Adrian Godong
Adrian Godong
reCAPTCHA Support
So I now use HTTP/1.0 instead of the default, and it don't need to
suppress the Expects header anymore as that is an HTTP/1.1 feature.
Joseph Hill did that in his version of the plugin and it seemed to work well.
Arun
http://msdn2.microsoft.com/en-us/library/system.net.httpwebrequest.servicepoint(VS.80).aspx
On Jun 28, 9:55 am, "Adrian Godong" <adrian.god...@gmail.com> wrote:
> BTW, I can't find any ServicePoint property on my HttpRequest object. Can
> you provide the full namespace? Am I missing something here.
>
> On 6/28/07, Arun <gregoria...@gmail.com> wrote:
>
>
>
>
>
> > I've been experimenting with creating a reCAPTCHA .NET 2.0 user
> > control. This is my first piece of .NET code, so I'm sure I might
> > wrong on a number of counts. But I thought, I might share my
> > experiences.
>
> > BTW I'm developing the user control using C# on Windows XP SP2
> > with .NET 2.0
>
> > I had the same 417 Expectation Failed error as Adrian. It seems like
> > the .NET API adds an 'Expect' HTTP Header when a POST request is used.
> > So I added some code to suppress this:
>
> > request.ServicePoint.Expect100Continue = false;
>
> > However, I ran into some other problems when trying to validate the
> > solution as the server was, according to .NET, closing the connection
> > prematurely. Looking at the server headers returned by the validation
> > server it appears that it is using HTTP/1.0, so the closing of the
> > connection isn't surprising in that context.
>
> > So I now use HTTP/1.0 instead of the default, and it don't need to
> > suppress the Expects header anymore as that is an HTTP/1.1 feature.
>
> > I'm using Windows XP, so I'm a bit surprised that Adrian says that
> > there is no need to use HTTP/1.0, as the server headers clearly
> > indicate that the server speaks HTTP/1.0
>
> --
> Adrian Godong
> adrian.god...@gmail.com
> Microsoft MVPhttps://mvp.support.microsoft.com/profile/Adrian
Adrian Godong
Arun
1.0 as well.
Just curious why the servers are configured to use HTTP/1.0 instead of
version 1.1, as version 1.0 doesn't support persistent connections.
Given the number of gif images and script files that are downloaded as
part of the reCAPTCHA interface, there should be a noticeable
improvement in network performance if you used version 1.1 instead.
On Jun 28, 10:05 am, "reCAPTCHA Support" <supp...@recaptcha.net>
wrote:
reCAPTCHA Support
Timothy Parez
(as I didn't know about this one)
The one thing I get a lot as well is this
The underlying connection was closed: A connection that was expected
to be kept alive was closed by the server.
The code:
Line 110: HttpWebResponse verificationResponse =
(HttpWebResponse)verificationRequest.GetResponse();
Line 111: StreamReader verificationResponseReader = new
StreamReader(verificationResponse.GetResponseStream(),
Encoding.ASCII);
Is this a server problem or a problem on my end?
reCAPTCHA Support
carl.s...@gmail.com
HttpWebRequest request = HttpWebRequest.Create(GenerateVerifyUrl()) as
HttpWebRequest;
request.ProtocolVersion = HttpVersion.Version10;
On Jul 11, 7:20 pm, "reCAPTCHA Support" <supp...@recaptcha.net> wrote:
> Did you set the HTTP protocol version to 1.0? This seems to fix things up
> with .net.
>
> On 7/11/07, Timothy Parez <timothypa...@gmail.com> wrote:
>
>
>
>
>
>
>
> > I have my own implementation, very simular to the one described above
> > (as I didn't know about this one)
> > The one thing I get a lot as well is this
>
> > The underlying connection was closed: A connection that was expected
> > to be kept alive was closed by the server.
>
> > The code:
>
> > Line 110: HttpWebResponse verificationResponse =
> > (HttpWebResponse)verificationRequest.GetResponse();
> > Line 111: StreamReader verificationResponseReader = new
> > StreamReader(verificationResponse.GetResponseStream(),
> > Encoding.ASCII);
>
> > Is this a server problem or a problem on my end?
>
> --
> reCAPTCHA: stop spam, read bookshttp://recaptcha.net- Hide quoted text -
>
> - Show quoted text -