Creating and Using a CAPTCHA in ASP.NET MVC


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame


A CAPTCHA is a challenge-response system wherein typically a dynamically generated image consisting of random letters and numbers is displayed to the users and the users are asked to re-enter the text in an attempt to verify that both of them match. Any ASP.NET developer would want to prevent spam and automated form submissions in the website being developed and that is where CAPTCHA is extremely useful. The primary purpose of CAPTCHA is to ensure that data is being submitted by humans and not by an automated software system. CAPTCHA is frequently used in user registration and contact forms to prevent spam and abuse of the facility. In this article you will learn how a simple CAPTCHA system can be developed in ASP.NET MVC.

Basic Steps

Before you delve into further details create a new ASP.NET MVC 3 application with ASPX views. Once created add a new controller named Home into the Controllers folder. You will be adding the required action methods to the Home controller later.

Creating a Custom Action Result

An action result indicates the response from an action method and is represented by System.Web.Mvc.ActionResult class. Though most of the action methods can use ActionResult class as their return value you can also create a custom action result class. In fact, the MVC framework includes several classes that inherit from the ActionResult base class. Many of them are shown in the following figure.

The MVC framework includes several classes
Figure 1: The MVC framework includes several classes

In order to create a CAPTCHA system it is necessary that we emit a dynamically generated image with random text onto the response stream. To meet this requirement you will create a custom Action Result class. The new action result will inherit from ActionResult base class. To create a new action result, add a new class in the Models folder and name it CaptchaImageResult. The following listing shows the empty CaptchaImageResult class.

public class CaptchaImageResult:ActionResult

Generating Random Strings

The CaptchaImageResult class needs to display random string values consisting of letters and numbers. To generate such random strings you will need to create a method inside the CaptchaImageResult class that does the job for you. The GetCaptchaString() method as shown below is responsible for creating fixed length strings consisting of alpha-numeric values.

public string GetCaptchaString(int length)
    int intZero = '0';
    int intNine = '9';
    int intA = 'A';
    int intZ = 'Z';
    int intCount = 0;
    int intRandomNumber = 0;
    string strCaptchaString="";
    Random random = new Random(System.DateTime.Now.Millisecond);
    while (intCount < length)
        intRandomNumber = random.Next(intZero, intZ);
        if (((intRandomNumber >= intZero) && (intRandomNumber <= intNine) || (intRandomNumber >= intA) && (intRandomNumber <= intZ)))
            strCaptchaString = strCaptchaString + (char)intRandomNumber;
            intCount = intCount + 1;
    return strCaptchaString;

As you can see, the GetCaptchaString() method accepts a single parameter - length - that indicates the length of the resultant CAPTCHA string. The four variables intZero, intNine, intA and intZ simply store ASCII values for numbers (0-9) and letters (A-Z). Note that we are using only upper case letters in the above logic. You can, of course, add lower case letters if required. Inside the while loop, Random class is used to generate random numbers between a range of 0-9 and A-Z. The random number obtained from the Random class is converted into a character value and stored in strCaptchaString variable. Finally, the complete CAPTCHA string is returned back.

Outputting an Image Dynamically in the Response Stream

Generating a random string is just one part of the story. More important is to emit this random string as an image in the response stream. Emitting the random string as an image will make it difficult for automated software programs to read the CAPTCHA string from the HTML source. To generate an image dynamically, you need to override ExecuteResult() method of the ActionResult base class. The ExecuteResult() method is responsible for any custom processing that the child class wants to plug-in. The complete ExecuteResult() method is shown below:

public override void ExecuteResult(ControllerContext context)
    Bitmap bmp = new Bitmap(100, 30);
    Graphics g = Graphics.FromImage(bmp);
    string randomString = GetCaptchaString(6);
    context.HttpContext.Session["captchastring"] = randomString;
    g.DrawString(randomString, new Font("Courier", 16), new SolidBrush(Color.WhiteSmoke), 2, 2);
    HttpResponseBase response = context.HttpContext.Response;
    response.ContentType = "image/jpeg";

The ExecuteResult() method has one parameter - ControllerContext - that provides the context information in which the method is being called. For example, the HTTP response stream is accessed using the HttpContext provided by the ControllerContext parameter. The method first creates a Bitmap of size 100 X 30. It then washes it with a Navy background. A random CAPTCHA string with a length of 6 characters is generated by calling the GetCaptchaString() method. This random string is then stored in a Session variable so that you can compare the user input later. The DrawString() method of the Graphics object draws the random string onto the image. The image is then saved onto the response stream in JPEG format.

In the above example, you are using a simplistic approach of generating CAPTCHA images. You can also make use of certain techniques (distorting the characters or emitting two sets of characters for example) that make it even more difficult for the automated software programs to read them.

Showing a CAPTCHA Image on a View

Next, you need to create an action method in the Home controller as shown below:

public CaptchaImageResult ShowCaptchaImage()
    return new CaptchaImageResult();

The ShowCaptchaImage() method simply returns a new instance of CaptchaImageResult class you created earlier. Note that the MVC framework takes care of calling the ExecuteResult() overridden method for you.

The ShowCaptchaImage() action method is used in the Index view as shown below:

<h1>Captcha in ASP.NET MVC</h1>
using (Html.BeginForm("index", "home"))
<p><img src="/home/ShowCaptchaImage" /></p>
<p>Please enter the string as shown above:</p>
<p><%= Html.TextBox("CaptchaText")%></p>
<p><input type="submit" value="Submit" /></p>
<strong><%= ViewBag.Message %></strong>

As you can see, the above markup creates an HTML form. Notice how the src attribute of the <img> tag is pointing to the ShowCaptchaImage action method. This way whenever the image is rendered it invokes the ShowCaptchaImage() method and a CAPTCHA image is outputted. The TextBox allows the user to enter the text as seen on the CAPTCHA.

The following figure shows the Index view in action:

The Index View
Figure 2: The Index View

Verifying the CAPTCHA Value

Before you run the Index view, you need to add Index() action methods as shown below:

public ActionResult Index()
    ViewBag.Message = "A fresh CAPTCHA image is being displayed!";
    return View();
public ActionResult Index(string CaptchaText)
    if (CaptchaText == HttpContext.Session["captchastring"].ToString())
        ViewBag.Message = "CAPTCHA verification successful!";
        ViewBag.Message = "CAPTCHA verification failed!";
    return View();

The first Index() action method takes care of GET requests whereas the second one takes care of POST requests (as indicated by [HttpPost] attribute). The first Index() method simply puts a Message in the ViewBag and shows the Index view (Figure 2). When the user enters the CAPTCHA value in the TextBox and submits the form, the second Index() action method compares the submitted value with the value stored in the Session earlier (recollect that ExecuteResult() method stores the CAPTCHA text in a session variable). Depending on the outcome of the comparison either a success or failure message is displayed in the view.


A CAPTCHA is a challenge-response system frequently used to keep away spammers and automated software programs from web pages accepting data from the end users. Common examples of such pages include user registration forms and contact forms. In order to create your own CAPTCHA system in ASP.NET MVC you create a custom ActionResult class that generates a random string value and then emits it as an image on the response stream. You can add more features to the CAPTCHA you developed in this article to make it more difficult for automated software programs to read the CAPTCHA text.

About the Author

Bipin Joshi

Bipin Joshi is a blogger and writes about apparently unrelated topics - Yoga & technology! A former Software Consultant by profession, Bipin has been programming since 1995 and has been working with the .NET framework ever since its inception. He has authored or co-authored half a dozen books and numerous articles on .NET technologies. He has also penned a few books on Yoga. He was a well known technology author, trainer and an active member of Microsoft developer community before he decided to take a backseat from the mainstream IT circle and dedicate himself completely to spiritual path. Having embraced Yoga way of life he now codes for fun and writes on his blogs. He can also be reached there.

Related Articles



  • captcha refresh

    Posted by Dhruti on 09/19/2016 08:26am

    Hi thank you for this code. it is working fine but i want to implement refresh captcha without refreshing page. so please help me.

  • How to add a refresh link for captcha

    Posted by sasireha on 09/18/2016 03:52pm

    hi please let me know how to refresh the image rendered from controller action method each time when i click refresh link.

  • how to add refresh functionality to the above with out refreshing the whole page

    Posted by ashok on 04/19/2016 06:02am

    help me.

    • Refresh captcha

      Posted by Dhruti on 09/19/2016 08:28am

      same question i have

  • captcha image not showing on server

    Posted by NK on 04/11/2016 02:44pm

    I Tried this easiest way of Captcha I really happy to use this and its really working in local but when I putted this code in my remote site then Image is not showing ! can you please help me what is remain to add or why its not working ?

  • MVC 6

    Posted by Brent Fuller on 11/12/2015 06:39pm

    Hi, I am trying to implement this in MVC 6 but am stuck on bmp.Save(response.OutputStream,ImageFormat.Jpeg); as the response does not have .OutputStream. Any ideas?

  • Query

    Posted by Riddhi Bhatt on 07/14/2015 01:45pm

    I Tried this easiest way of Captcha I really happy to use this and its really working in local but when I putted this code in my remote site then Image is not showing ! can you please help me what is remain to add or why its not working ?

  • wow

    Posted by shaul on 04/24/2015 08:09am

    thank you so much. you halped me a lot :)

  • Error : http://localhost:51124/home/ShowCaptchaImage 500 (Bad Request)

    Posted by sai on 12/19/2014 02:35pm

    Getting the error (Bad Request) on client side. please help

  • Captha refersh

    Posted by Sheela on 06/30/2014 10:51am

    hi I used tthis same code for my captha. IT is working fine in Google Crome. But refesh is not working in Firefox. random number is genarating, but image is not displaying after refresh. can i get to know why?

    • Captch image is getting rendered from cache

      Posted by Sandesh Daddi on 06/22/2015 01:11pm

      Hi Sheela, I know your comment is almost 1 year old, but just replying here if anyone else in interested in same. most browsers are rendering the image from Cache and not hitting the server for refresh. It is recommend that while adding these kind of images pleas append some random number in image url like below This will create a unique URL for each page load, if you want a functionality like refresh link then please write this logic in Javascript. Thank you, Sandesh Daddi www.sanshark.com

  • Thank You Some how your code helped me

    Posted by khawaja on 04/30/2014 04:12pm

    thanks once again mate

  • Loading, Please Wait ...

  • You must have javascript enabled in order to post comments.

Leave a Comment
  • Your email address will not be published. All fields are required.

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date