Hi!
I'm going to be implementing a form of CAPTCHA (the code that prevents automated form registrations) and it requires a session state.

Quote:

CAPTCHA Example:

After a person fills out a form, they see the previous picture just below the form. When they enter the code, I want to basically do this:

If Captcha is verified and correct, then do SQL INSERT statement (from session variables) to the table and redirect ususers to the next page.
Else, tell the users that the code is incorrect and to re-enter the Captcha code.

The company that gave me the CAPTCHA says that a session state needs to be enabled.

Now, how do I go about doing so?

I'd appreciate any help given.

Session state just works, automatically. Nothing is required on your part. Unless: (1) you disabled session state, in which case you need to re-enable it, (2) you're working with a hodge-podge mix of ASP Old and ASP.NET, or (3) you've done something wonky and put session state in the database, or whatever, which broke it.

You can test this pretty easily by setting a session variable when someone logs in ( Session("myVar") = "test" ) and then one a different page, output the value of the session variable to the page.

Maybe I'm misunderstanding something, though?

Oh, and for the record, implementing your own captcha system is extremely easy, if you choose to go in that direction instead. You could probably do it without using session state, although once you've authenticated that there's a human behind the terminal, you might want to "remember" that for the length of the session?

Quote:

Oh, and for the record, implementing your own captcha system is extremely easy, if you choose to go in that direction instead. You could probably do it without using session state, although once you've authenticated that there's a human behind the terminal, you might want to "remember" that for the length of the session?

How do I go about it without session state? That sounds easier and more fun than the other way.

The form they are filling out is strictly an information collector and there is no authentication (IE: no one logs in to this site.)

This is where we got the captcha from: http://www.lanapsoft.com It was their choice to buy it, rather than to deal with the hassles of creating one. This package integrates with Visual Studio's Toolbox and is added to the references.

Damnit, the internet goblins ate my post!

I had a quick look at the docs, but they're kind of sparse. I don't really know much about the software after looking them over, it seems like the kind of thing you'd need hands on experience with.

My guess is what you want is for someone to be presented with a captcha the first time they try to do something, and then after they pass it and prove they're human, they don't get bothered again? That sounds like what most people would ask for, and that sounds like what session state is probably being used for.

Quote:

My guess is what you want is for someone to be presented with a captcha the first time they try to do something, and then after they pass it and prove they're human, they don't get bothered again? That sounds like what most people would ask for, and that sounds like what session state is probably being used for.

YES. That is exactly it. (consequently, the insert statement you helped me with is in this same project...as I'm sure you figured, by now.)

Well, sessions will do exactly what you want, probably with zero work at all, but they also do a lot more, and they're pretty heavy. If the same "person" accesses your site twice within a 20 minute period*, with sessions, the server recognizes the two hits as being from the same "person." If not, it just sees two hits, and has no idea where they came from, or that they have the same source. I put person in quotes because, well, you could use IE and FireFox to trick things. * 20 minutes is configurable, you can make it last 2 minutes or two hours if you want to.

Session state also contains a private data store associated with the session, so if you have 50 people using your app within a 20 minute period, you have 50+ sessions living on the server, using RAM (in most cases) to store session data, CPU cycles to test session starts and ends, and all kinds of other stuff you probably won't take advantage of.

Now, session state is turned on by default in ASP.NET, so you're probably already set up to use it. But some developers are in the habit of turning it off to get more performance. So that might be the case for you, but probably not. I'd guess things should "just work" if you drop the captcha web control in and start using it?

But if you wanted to, you could turn off session state and preform what you need in a more efficient way. It sounds like that's not an option, if this particular captcha control demands session state, and if that's the case, you won't have to deal with rebuilding part of sessions, including time out features and whatnot. Let's say you were going to, though, here's the basics for what you'd do.

There's also application state, which is like session state in some ways, except there's only one copy. You could create a hash table or a dictionary that takes, say, an IP address as a key, and the last time the user passed the captcha as a value. Or, instead of storing these in memory in the web server, you could write the values into your SQL table, and then next time you want to look up whether a particular user is already verified as a human, you would run a query against SQL looking for their IP address, and then see that either they answered one five minutes ago, or it's been five weeks.

But then people use NAT and proxy servers, so an IP address really isn't enough to identify someone. And an IP + TimeStamp won't do, either, since you'll get requests at different times. So the answer is to use a cookie, and probably couple it with the calling IP address so that a hacker can't just sniff out the cookie while data bounces back and forth over the wire. Having both of these to track your users with will let you deal with five different people behind the same address.

Huh... interesting. I never actually knew what/why before... awesome.

So, am I correct in stating that simplicity isn't always the best route...for what I'm looking to do? Even though what I'm trying to do is rather simplistic?

I guess, according to the folks that want to do this, this site is strictly for college students looking to make more money for text books. They are to come to the site and fill out the form for a chance to win money.

They fill out the form, (input the captcha code) and hit submit. That data is entered into a database.... a few weeks/months later, a student is picked randomly as 1 of, 10,000 winners.

The session state or cookie (however we can make it work) is only a momentary thing. We won't be tracking any further information...so theoretically, we would only need to have it for about 5 minutes....if that.

Is there a way that we could end the session once they are re-directed to our "ThankYou" page?

I'm not sure whether you can explicitly end a session or not, but if you send them to the thank you page, and then they leave your site, 20 minutes later their session will time out anyway. I'm working on exposing some web services right now, and don't have access to session objects to test, but there might be a Session.End call, or, if not, on the ThankYou page, you can set Session.TimeOut = 1, which is in minutes.

As far as whether simplicity is best, it depends what your priorities are. This way, your server will work a bit harder than it needs to, and that could impact scalability, but the trade-off is less work on the developer, and having the project finished sooner.

And in all honesty, most people never change the defaults and wind up using sessions and all kinds of other stuff they don't really need. So while it's a best practice, it's not a death sentence not to follow it.

If you already payed for a component that needs sessions, you're probably better off just letting it use them. If you were expecting 10,000 registrations in the span of 10 minutes it might be a problem, and make sense to take the time to do things as efficiently as possible. If this were my project, I'd probably use sessions, and make a note somewhere about a possible future improvement, if scale ever starts to become an issue.

Ok, so i got it. I passed the variables to the insert statement!
I'm a happy camper!

so, my last deal is to find out how to format a text box for an email address.
I keep getting a format exception

Quote:

System.FormatException : The specified string is not in the form required for an e-mail address.

Any thoughts?

What's in the string, and what's the email address? I'm not sure I understand the question? I would think you might have "fake.email@test.com" as a string, and just write code like textbox1.Text = myStringVariable?

If you have any questions, go ahead and post the code you're working with. I got my WordPress theme working, so at this point, I can do anything!

Code:

Dim MyEmail AsString
'Message Formatting
MyEmail = txtEmail.Text
mMsg = "Thank you for registering with <a href='http://mywebproject.com>My Web Project</a>: The Student Panel. You will be contacted soon."
mTo = MyEmail
mFrom = "my web project"
mSubject = "Thank You!"
mMailServer = "localhost"
Try
 
Dim message AsNew MailMessage(mFrom, mTo, mSubject, mMsg)
message.IsBodyHtml = True
If mCC <> ""Or mCC <> String.Empty Then
Dim strCC() AsString = Split(mCC, ";")
Dim strThisCC AsString
ForEach strThisCC In strCC
message.CC.Add(Trim(strThisCC))
Next
EndIf
 
Dim mySmtpClient AsNew SmtpClient(mMailServer, mPort)
mySmtpClient.UseDefaultCredentials = True
mySmtpClient.Send(message)
MessageBox("The mail message has been sent to " & message.To.ToString())
Catch ex As FormatException
MessageBox("Format Exception: " & ex.Message)
Catch ex As SmtpException
MessageBox("SMTP Exception: " & ex.Message)
Catch ex As Exception
MessageBox("General Exception: " & ex.Message)
 
EndTry

Hmmm, this is a bit out of my realm - what happens when the code runs?