FormShield v2.0 has been released.
Changes in this version:
Random BorderStyle, FillStyle, FontStyle, GradientStyle, HatchStyle, TextCase, TextEffect and TextStyle on occasions would throw exceptions - Fixed - Routines rewritten.
The ampersand (&) in SymbolCharacters was causing an exception due to character encoding - Fixed - Ampersand removed.
PixelFormat, SmoothingMode, FillStyle & BorderStyle contained invalid values which could throw exceptions - Fixed.
If ImageBorder was set to None a border was still being drawn on the top left - Fixed.
When using Presets, non-relevant property values (e.g. AlternateText) were being changed - Fixed.
Machine specific encryption keys caused issues with load-balanced environments - Changed - See below.
Url encoded, base-64 querystrings were causing issues with decryption - Changed - Encrypted hex-based string now used.
Multiple FormShield's on one page would generate the same text value - Fixed - Improved random methods.
BackColor2 and ForeColor2 were being written out to the querystring even when empty - Fixed.
When rendering multiple FormShield's on one page the querystring from the first image was being parsed for all of them - Fixed.
When using PersistenceMethod.FormField values weren't being persisted after the first postback - Fixed.
When using PersistenceMethod.SessionState a new image wasn't being generated when returning to the page - Fixed.
TIFF ImageFormat - Was serving no real purpose as TIFF images require a browser plugin.
Format48bppRgb, Format64bppArgb and Format64bppPArgb PixelFormats - Unlikely to ever be used.
SolidHatch fill style - Duplicate of Hatch.
Arial Narrow, Book Antiqua, Garamond and Haettenschweiler removed from DefaultFonts - Not default XP/2003 fonts and could cause exceptions.
ImageProviderUrl property removed as an HttpHandler is now used.
ImageAlign property removed as it no longer serves any purpose.
Major New Features/Improvements:
The encryption/decryption routines have now been moved into their own class and re-written using a different provider. The key size has also been increased (now 128-bit) for additional security and it is now possible to set your own key in the web.config file using the formShield_SecretKey AppSetting. An example key is included in the web.config file contained within the download.
If you are using Visual Studio, you can also use the menu (right-click on the control, or use the buttons below the property grid) and select 'Add Secret Key' to automatically add a default key to your web.config file.
Previously the encryption key was determined by machine specific identifiers which caused issues in load-balanced environments.
FormShield no longer calls itself or an ImageProvider to generate the image, instead it uses an HttpHandler registered in the web.config file and the HttpHandlerPath property. This is a much cleaner way of generating the image and using the HttpHandlerPath property you are able to specify the handler name/path rather than using the default of FormShieldHttpHandler.aspx if required.
As with the encryption key, Visual Studio users can use the menu and select 'Add HttpHandler' and FormShield will automatically register the handler in the web.config file and update its properties to point to it.
Replay Attack/Brute Force Prevention:
ValidFrom and ExpiresAfter properties have been added that allow you to specify the number of seconds that have to pass after image generation before the image is deemed to be valid and also the period of time after which the image is deemed to have expired.
By calling the IsValid property on postback you are then able to determine if the user entered the value within the specified timeframe.
A GetGeneratedAt() method has also been added so you can retrieve the date and time the image was generated.
By combining these options you are able to prevent replay attacks and combat users bombarding your form.
FormShield now implements the LoadControlState() and SaveControlState() methods enabling the new ControlState persistence method introduced in .NET 2.0 to be used to persist property values as an alternative to ViewState and SessionState. Simply set the PersistenceMethod property to PersistenceMethod.ControlState to use this method.
FormField has also been replaced with the new .NET 2.0 HiddenField class, which effectively does the same thing as FormField previously did.
As a consequence of introducing ControlState, the Text property is no longer accessible to ensure values are persisted correctly. Instead, a Value property (for validators) and GetText() method (for general use) have been added should you wish to retrieve the current text value.
Any time the persistence method is now changed, FormShield automatically copies the current values to the new method and removes the value from the previous one.
Random Length Text:
TextLengthRandom and TextLengthRandomMinimum properties have been added so you can specify FormShield should generate a random length text value. Simpy set TextLengthRandom to True and FormShield will by default generate a random text value of between 3 and 6 characters (inclusive). By changing the TextLengthRandomMinimum and TextLength property values you are able to control the minimum and maximum length of the value generated.
Another frequently requested feature was the ability to perform an action when the user clicked on the image. This can be enabled or disabled as required (disabled by default) using the ClickEventEnabled option and three actions are currently supported:
- Regenerate - Regenerates the text value and redraws the image.
- BubbleEvent - Bubbles the event enabling custom code to be executed.
- RegenerateBubbleEvent - Both of the above.
If you are using the SetText() method to set your own text value, you can then use the BubbleEvent option to change the value when someone clicks on the image.
Design time support has also been added so if you double click on the control, Visual Studio will automatically create the event handler for you.
FormShield now allows you to specify your own text value to be displayed to users. This is useful if you want to use your own random text/number generator and was a frequently requested feature.
Simply set the AutoGenerate property to False and use the SetText() method to set the text you want FormShield to display. The same method can also be used on postback to change the text, thereby invalidating the value the user entered.
The main new feature, and the most important from an accessibility compliance standpoint is the addition of sound into FormShield.
By clicking on the sound icon, FormShield will automatically generate and play the spoken version of the current text value within the browser, even if you are using a custom text/number generator and the SetText() method to set your own value. Furthermore, all character types are supported (Alpha, Numeric and Symbols or a combination of any or all).
Should the user visiting the Web site not have a plugin capable of playing the audio file, they are automatically prompted to download the file.
As standard FormShield provides two voices - British male and British female with the choice of 8bit or 16bit and 8kHz or 16kHz audio.
Also, as the required sound libraries are distributed seperately you only have to copy the one you require to your bin directory.
Custom sound libraries can be created and distributed with FormShield if/when required.
To improve the usability of FormShield, it now automatically renders three icons as part of the control in addition to the main image.
- Refresh - Automatically changes the text value and redraws the image when clicked.
- Sound - A spoken version of the text value is played when clicked on.
- Help - When moused-over displays a message to the user using the Title (alt) tag.
All three icons allow you to set the AlternateText, Height and Width as well as the path to a custom icon. If you do not provide your own icon, FormShield will automatically render a default one.
The refresh icon also provides a RefreshIconClick event that supports the same options as the ImageClick event, namely Regenerate, BubbleEvent or RegenerateBubbleEvent, so if you are using your own custom text/number generator to set the text value, you can simply consume this event using the BubbleEvent to change the value when someone clicks on the refresh icon.
Also, should you wish to redirect a user to a help page when they click on the help icon you can do so by using the DestinationUrl property that this icon supports. One such use of this would be to provide a contact number so users with certain accessibility needs and who are unable to read the text value or hear the spoken version are able to contact you for assistance.
Furthermore, all three icons have a Visible property enabling you to display or hide any or all of them.
Other New Features/Improvements:
Medium Trust Environment support - AllowPartiallyTrustedCallers attribute added, incompatible code removed, designer integration rewritten.
Title (alt) text now written out for all browsers, not just Internet Explorer to aid with accessibility.
Caching headers have been added to prevent/allow browsers caching image/audio - Images cannot be cached, audio can.
Status codes are also now added to the headers when generating the image/audio to aid browsers.
TextFont enumeration added to specify the default font to use to draw the text on the image.
Reset Design Properties menu option added in Visual Studio to set all of the design properties back to their original default values.
ImageEnabled and SoundEnabled properties added to enable/disable image/sound generation.
The BuildQueryString() method has been improved so unnecessary property values are no longer written out.
Various conversion and other methods improved - Minor performance increases.
| - Dotted vertical bar added to AllCharacters (was previously missing).
^, -, ~, ., \, and / added to DefaultSymbols.
Franklin Gothic Medium, Gautami, Georgia, Kartika, Latha, Lucida Console, Mangal, Microsoft Sans Serif, Mv Boli, Palatino Linotype, Raavi, Shruti, Sylfaen, Tahoma, Trebuchet MS, Tunga and Vrinda fonts added to DefaultFonts.
Default PixelFormat changed to PixelFormat.Format32bppRgb and the default Height changed to allow for alignment of the new icons.
Various design time property category changes made to enable quick access to desired properties.
Presets all updated (including default) with minor changes.
DrawNewText() method replaced with GenerateNew() and SetText() methods.
TextStyle renamed CharacterType to better describe the enumeration.
Image generation code moved into FormShieldImageProvider.
Reduction in the number of property declarations required by the introduction of the FormShieldDefaults class which contains all of the default values.
Migrated .NET 1.1 specific code to the new replacement methods and classes found in the .NET 2.0 framework.
Lots of other code tweaks, documentation changes and improvements.
Please visit the downloads area to grab a copy or the blog entry for more information on FormShield v2.x.