A CAPTCHA is test that distinguishes a human from a computer. The Captcha web control does this by displaying random text within an image. The text itself, as well as the image's background, are distorted to make recognition of the text within the image difficult for computer programs, but not so much that a human can not easily identify the text. The Captcha web control is implemented as a validator which must be successfully validated in order for page processing to continue.


To use the Captcha web control first place it on the ASP.NET page you wish to protect. The most likely pages will be your blogs' comment and contact pages. The locations of these files depend on the blog theme you're using. The typical location for them would be:


where <theme> is the theme name you're currently using.

The following line actually enables the Captcha, you can put it wherever you would like the Captcha to appear:

<th:Captcha runat="server" id="captcha1" />

Next, move the "captchaimage.aspx" file within the archive to Community Server's root directory. This is the actual image that the Captcha web control displays. (By default authenticated users are not presented with a CAPTCHA test so you won't see any difference on the page containing the Captcha if you are logged in. You can either set the TestAuthenticatedUsers property to true or logoff to see the CAPTCHA.)


The Captcha is a templated control, which allows you to change the appearance of its rendering. By using the <InnerTemplate> element within the Captcha you can modify its appearance. When utilizing a template you must use a System.Web.UI.WebControls.Image with an ID of "imgCaptcha" and a System.Web.UI.WebControls.TextBox with and ID of "txtCode". The following example illustrates a sample template containing all controls the Captcha uses.

<th:captcha runat="server" id="captcha1">
    <!-- Required -->
    <asp:image runat="server" id="imgCaptcha" />
    <asp:textbox runat="server" id="txtCode" />
    <!-- Optional -->
    <asp:hyperlink runat="server" id="linkReload" />
    <asp:label runat="server" id="lblError">The text entered was incorrect.</asp:label>


An example of the image displayed from the Captcha web control.


  • To mitigate against replay attacks, where the same cookie containing the Captcha code is submitted multiple times, version 2.0 of the Captcha web control implements a timeout. If sessionState is enabled then session is used to store the Captcha code and is immediately cleared upon successful validation. If sessionState is disabled then cookies are used to store the code and the timeout attribute of the <sessionState> web.config node controls the timeout.
  • When using the InnerTemplate the ErrorMessage, ErrorMessageColor, and Message properties are not used when rendering the web control.
  • If using the SubdomainModule to redirect urls you should add a <location> element to your SiteUrls.config file to prevent it from redirecting the url used to display the CAPTCHA image. If using the default location of this image add the following line:

    <location name="captchaimage" path="/captchaimage.aspx" />


Captcha Web Control

Property Description
Type of characters that should appear in the code.
An indication of whether an error message should be displayed.
Error message to display when the wrong code is entered.
Font color of the error message.
The error message to display when the time limit to enter the code has been exceeded.
Color of the image background.
Color of the image background noise.
Name of the font used in the image.
Color of the image foreground.
Color of the image foreground noise.
Height of the image.
Url of the image.
Width of the image.
The template of the web control.
Instructional text displayed to user.
Number of characters in the code.
The URL of the CAPTCHA reload icon. Set to the empty string to display no icon.
The text of the CAPTCHA reload icon. If the ReloadImageUrl property is set to a value this proprety becomes the icon's tooltip, otherwise it is displayed as text.
Indicates if the control should be visible to authenticated users.

CaptchaType Enumeration

Value Description
Alphabetic Uses only lowercase alphabetic characters.
Alphanumeric Uses a combination of numbers and lowercase letters, the digit 0 and letter o are never used with this value.
Numeric Only numbers are used.