Implementing Google's No Captcha reCaptcha In ASP.NET

Captchas and reCaptchas are great inventions. They help keep spam out and help to verify that humans are on the interwebs and not mischievous bots buying up all of our concert tickets. Captchas were annoying for the most part and they always took 3-4 attempts to get right. reCaptchas were less annoying, and at the same time they also did an amazing thing. They helped to digitize text in books that was illegible for machines. But in the end they still kind of sucked a bit. There was always that 'a' that might of been a '9' or the 'i' that could of been a '1', 'l', '|' etc.

Old, but still awesome, ReCaptcha

Google has now solved that problem with their latest release of reCaptcha. This newest version is easier for humans and harder for bots to decipher. It uses a new risk detection engine to determine based on the users interactions with the Captcha how likely it is for them to be a bot. And if there is some doubt it does have secondary methods that it falls back to to determine it. And since I'm updating my websites currently to use this latest version, I figured I'd share the process with the peoples out there. So let's start.

Latest No Captcha reCaptcha

Get your keys

First thing before anything you'll need a set of secure keys in order to make requests to the reCaptcha API, and you can do that by going to https://www.google.com/recaptcha/ and clicking on the Get reCaptcha link. You'll need to register your domain and site owner first before you get started with the form below.

And immediately after you'll be greeted with 2 brand new keys to work with. You'll get a:

Adding it to your site

Adding it to your website is a two step process. First you'll need to specify the following in the head section on your site.

<script src='https://www.google.com/recaptcha/api.js'></script>

And next stop you can add the following div wherever you want your new reCaptcha to show. Be sure to add the sitekey that you just received to the data-sitekey property in the div. The bottom example is just a random that one that wont work.

<div class="g-recaptcha" data-sitekey="6Lfsx4rtAAYHERAchhg1oKT46ctlzv9Y9HReK74g"></div>

And that's it! You now have a fully working reCaptcha on your webpage. The only thing left now is to verify the users response with Google.

Verifying a users answer

The new reCaptcha offers several different ways to go about verifying the users response. But I'll be showing how to do it by sending a simple POST request to Google with the users response. Once the form is submitted, the reCaptcha will add the g-recaptcha-response POST parameter to your parameter list, which is an encrypted string that will only work once and that you must send to Google to verify.

API Request URL

URL: https://www.google.com/recaptcha/api/siteverify

Url Parameters

secret: Required. The shared key between your site and ReCAPTCHA.

response: Required. The user response token provided by the reCAPTCHA to the user and provided to your site on.

remoteip: Optional. The user's IP address.

The Code

private bool CheckCaptcha()
{
        string url = "https://www.google.com/recaptcha/api/siteverify";
        WebRequest request = WebRequest.Create(url);
        string postData = string.Format("secret={0}&response={1}&remoteip={2}", ConfigurationManager.AppSettings["CaptchaSecretKey"], Request["g-recaptcha-response"], Request.UserHostAddress);
        
        request.Method = "POST";
        request.ContentType = "application/x-www-form-urlencoded";
        request.ContentLength = postData.Length;

        StreamWriter writer = new StreamWriter(request.GetRequestStream());
        writer.Write(postData);
        writer.Close();

        StreamReader reader = new StreamReader(request.GetResponse().GetResponseStream());
        string responseData = reader.ReadToEnd();
        
        JavaScriptSerializer jss = new JavaScriptSerializer();
        reCaptchaResponse cResponse = jss.Deserialize(responseData);
        return cResponse.success;
}

// define a new class to store our response, outside of the current class
public class reCaptchaResponse
{
    public bool success { get; set; }
}

API Response

Once we make the request, the response back should be in the following format. I went ahead and Deserialized it to a class that I generated, but if you were working with the JSON directly, then it would be in this format.

API Response

The response is a JSON object:

{
  "success": true|false,
  "error-codes": [...]   // optional
}

All we really need is the success flag, but if you want to show your users the specific error message you can also dive into the "error-codes" property. So if you have an old outdated user verification method, or no verification method at all, then maybe it's time to give Googles reCaptcha a try. Happy coding!

Walter Guevara is a software engineer, startup founder and currently teaches programming for a coding bootcamp. He is currently building things that don't yet exist.

Comments

N

Nick Fairall

8/15/2015 5:35:22 AM

Hi. I've been pulling my hair out here. It worked the first day I added the g-ReCaptcha API but the next day I just get the fallback images. The reason I've determined is that my site key that Google have supplied me with no longer gets a response when the checkbox is checked. If I use the Test Key Google supply, I do get a response? I have already changed my key to see if that helps but no good. My two pages are here: www.mobilitysavings.co.uk/mykey.html and www.mobilitysavings.co.uk/testkey.html. They are both identical but onlky the test key works. Is this a Google problem? Any ideas please? Many thanks to you.

reply

Walt

3/9/2017 1:04:41 PM

Sent you an email Nick!

reply

k

kiquenet

7/27/2016 4:41:53 AM

Is valid now for 2016 in ASP.NET WebForms ?

reply

Walt

8/1/2016 11:41:26 AM

Yes it is! I've just tested it on a newer website and it works just the same.

reply

Add comment