Video: How Do I: Use the ASP.NET AJAX NoBot Control?

Presenter:Joe Stagner

The NoBot control from the ASP.NET AJAX Control Toolkit helps prevent certain types of unauthorized access to your Web applications. In this video we see how the NoBot control provides a number of built-in guards against automated access, including checking the number and frequency of form submissions. We also see how the control allows the developer to define a custom challenge, such as a JavaScript test that will succeed only if the page is viewed in a browser.

The following text is a software generated transcript of the video. Click on a minute link to jump to a location within the video


Minute 0

This video would demonstrate the use of the robot controller ships as part of Microsoft execs control toolkit bonobo controls a great addition is it your security toolbox to help you prevent certain types of unauthorized access to your web application so I guess that is always a far of visual Web developer express the free version of Visual Studio for web development was a greater new Ajax control toolkit enabled website in the first thing I m going to do is to add a standard ASP net multi view controls work page and then I m going to grab a snippet that I ve predefined that will add a little content of the first of the two views at note here that there s nothing in his other notable about this is just a standard form I don t think first and last name and and then pulls back of on

Minute 1

Looking of the submit button in the second of the views the multiview I ve also got some external markup and again is nothing special about this as it pertains to the know bought other than the text that contains but here there s a label control label one and will use this based on the results of the noblest evaluation of the validity or invalidity of the submission of this page and it is just a static text that in this case as diagnostics as the at what may go wrong or not onto her case were just in adults and values you probably don t want to display diagnostics unless the room unless the submission was disallowed back over to source multiple daily for us to do here of course is to add the actual robot control instance two are paid to listen on a tour agents control toolkit controls grab and nobody control and drop it on our page is just tells us that the this will give the Olsen s

Minute 2

Files are already in our project because we selected the a Jackson told to enable project so the one thing that we do here is we have to configure are no black control with an online generate challenge and response handler and in our case we call it a custom challenge response that we haven t written this function yet but we will write it in the code behind or page here and just in the singular page now it s generate a page loaded at first they were going to do if you say is posted back

Minute 3

And if it s not oppose backdoor to draw the page that s because it s not being done for the first time him if he is supposed back then were going to figure multiview controlled and set the active view to the second view and two on them up any object to contain the state of the form as it s declared by the know bought it as soon as you know by state and of course is it defined because we have an important effect control toolkit namespace so let s do that grocery is a collection so it s well worth of defining imports

Minute 4

System collections generic okay now let s check that states will say know bought one is valid was given to state item that you want to handler so will say if the states valid with stick a label warned that I should pay a cover page is at the top of the the second view said and let s set the background color equal to white and let s

Minute 5

Said attacks is equal to or so message that tells us everything was more or less okay so I would say that a submission except it is for demo purposes obviously but in a real application would have to tell the user that you just go ahead and do whatever they want form submission should do it and to help with the mailbox state however it is that no bought this little but is valid is false is the something older different let s first set the color of that label for each

Minute 6

To read and let s change that can be denied and now it s provide a little bit more information salutes to the string builder in the let s say for each key value pairs as a key value pair in a time of doing here is real look at real look at the frequency

Minute 7

Of the requests and see whether or not they re coming to quickly and so in a surreal look at the IP addresses are getting cached and see how frequently were getting a request from the same IP address and we ll just add those to the string soon say up and formats and

Minute 8

Which just output a little formatted text here and so GDP have a key to strength and it here we go in there and once I ve iterated through all

Minute 9

He cached requests you can just set the text of the label control were wonderful of her display the study can be whatever we ended up with in the string builder so as not to interview is if this was an auto post back before make sure that the multiview is set to the first view okay soda sales are in the sandals are page processing through on it we re in a page load was saying a hate if this is if this is not a post I could just picture the view one is displayed the form with the first and last if this is a post back with

Minute 10

And Sethi are active view of the multiview to be viewed to the bottom one that has both our are label control to display diagnostics to the user as well as the descriptions about what the possible states might mean and then organize dim up the snow but state object Hasidim to that is a valid method of the know bought control of final weather not this is a valid response and if it if it was a valid response to produce convincing its omissions excepted and Bergen are specified to the background color to be normal or the wise the state is not valid to return the value of the back of color value of that label control to be read to really stand out just what his vision is the is denied and then outwards to iterate through the requests for the IP address and and chose to use enough it is thought if this is a valid state dinner in a

Minute 11

Then there may only be one IP address requests from for this user that will be displayed whether the request is valid or not God but of course it is not without risk is that a picture that the few one is the active view in the in the multi now to the next thing I need to do is we need to define that me to define that function for a custom challenge response so let s do that by saying protected sub custom challenge response by Val sender as object and

Minute 12

As no bought in the event you are this and in that pregnancy and okay a for and to solicit them of a panel and and given ID this can be anything knows that no blood sample panel on next about it is in this

Minute 13

Function here I m to implement just one of perhaps an infinite number of ways that you might able to determine whether opposition is valid now this is entirely contingent on the semantics of your applications on a use one example you can come up with any method that you want use this you could do checksum of the values from the floor or you can maybe check the IP address that this is coming in from an and weigh that against the level of service that determines how many seconds the user has to wait in between submissions and really the possibilities or if are infinite in our case worms to Jenner generate a random area on the screen he up the hidden random area and then check that hidden random area from the from the nova so and create a randomizer in a rant as new random

Minute 14

Say peanut with as equal as a random thoughts failures since seen the randomizer and worlds of stuff to specify a height for our panel right hands now we want to student what this panel that were generating to be hidden because it s just the dimensions of the panel are to be used to determine whether or not a the form is being is a submitted in accordance with our expectations of a say in key style and and

Minute 15

And add additional textwriter style him to end for interested visibility inward asset visibility equal to hidden and if they yet it s not a charter style to is not familiar to you then that you should check it out its one of the things that you definitely want to use when writing your own custom controls solicit that equal to hidden them also going to use the magic of cut and paste and at another instance but instead of visibility and a use position in setting for the absolute so we are when we will specify where it goes and then

Minute 16

And add it to the controls collection so say controls at the center correctly for better panel to the page s control collections now he and he is the center of which is that no one can also reduce a challenge scripts to this and this is where I can pessimism script that will be used for the challenge there were no don t see which tests old JavaScript that will determine the size of the element to which

Minute 17

Page to say that in this document are to get element by ID at the end Key client IP and nearly the offset with times the offset height and this should give us the room that area of the panel so he

Minute 18

And he offset with by E offset okay is so and then he required response equal that should beware of key with the value of times tonight to

Minute 19

A okay so understand what this law what this does here we re pretty an older member he does is it as good a panel control resolves to the results to on HTML give store your good job randomizer here which can generate random size for this and more to make sure that it s not visible to the user so is a studio of a panel gorgeous to use for the purposes of validation using nobody there at that panel control to the controls collection and then we re specified here

Minute 20

Value and then that values to match this value is generated on the server and again this is just one example of how you can do this you can a meet and come up with as complex a collection of of validation mechanisms as is appropriate for your application lead tester application to you into submission by entering the appropriate value this is the first request for this IP address everything looks great ago back here and of quickly trying to resubmit us and tells me switches denied the invalid response to soon so the in the nobodies picking up and saying that this is happening too quickly the some of the various

Minute 21

The types of things that can cause the the validation fail is an invalid response it s too soon this particular IP addresses to active there is is the best session state are no no no session state so or some other similar problem Kurtz don t you get his advance as you like in terms of your own custom response from mechanism but this is the the the know by control provides a great opportunity to sort of hook this activity and not have to write all of the underlying plumbing yourself you can just write the business logic that determines whether or not this first this response request domination should be valid or invalid and that s it that s all it takes to a site using to want control to help a limit of unauthorized access to run application

Click here to go to original video page