CAPTCHA controls are used widely in the internet to validate that a certain input comes from a human user, and not an automated program. While developing the GAM integration module a CAPTCHA generation external object was created to validate that the input in some web panels comes from the user.

This external object is distributed with the module, but can be used in other scenarios.

This external object is currently implemented for the .NET and Java platforms.


The methods included in this external object are:

K2BToolsCAPTCHAProvider Methods

  • GenerateStringToken returns a random string with the length specified in the "amountOfCharacters" parameter.
  • GenerateImage returns an image in GIF format (encoded as a base 64 string). The image contains the string passed in the "captchaStr" parameter with some random noise included to prevent OCR programs from reading the string. The image size is determined by the "width" and "height" parameters.


This external object should be used as follows:

When entering the web panel:

  1. Obtain a random string using the "GenerateStringToken" method.
  2. Store this string in the web session.
  3. Generate an image using the "GenerateImage" method, and put it in the web form by using a blob variable and the "FromBase64String" method.
  4. Render the web page. (Leave a character variable in the web form for the user to input the string value).

Event Start

&randomString = &captchaProvider.GenerateStringToken(5)

&Session.Set(!"CAPTCHA", &randomString)

&generatedImage=&captchaProvider.GenerateImage(200, 100,&randomString)



Sample CAPTCHA initialization code

When the request to perform an action is received from the user:

  1. Retrieve the string stored in the session.
  2. Compare this string to the value the user sent in the corresponding input.
  3. If the strings are equal, proceed with the action (submit the form, etcetera).
  4. If the strings are not equal, do nothing and return to step 1. 
Event Enter
    &SessionString= &Session.Get(!"CAPTCHA")
    If not &SessionString.IsEmpty() and &SessionString = &InputString
        Do 'PerformAction'
CAPTCHA verification code

Hints and caveats:

Event Enter
    &SessionString= &Session.Get(!"CAPTCHA")
    If &SessionString = &InputString
        Do 'PerformAction'
CAPTCHA verification code
  • In steps 2 and 5 it is not mandatory to use the web session (for example, the value may be stored directly in the database). That can be modified to implement various requirements. It is important, however, that the value is not stored in a place that is accessible to the end user (for example, in a variable included in the web form, or in a cookie). If this principle is violated, the CAPTCHA control is rendered useless.
  • In step 6, beware of situations in which no session exists for the response. Consider the following code:

  • If a request is generated via a HTTP POST method invoked by an attacker, and no session Id is sent, the check will pass, as the value from the session will be empty and so will the value sent by the attacker.
    To prevent this, check that the session variable contains a non-empty string before validation, and reject the request if this does not occur.


An example XPZ can be found here.


If using the C# generator the captcha image is not shown, add the following lines to the web.config file in the environment:



  <mimeMap fileExtension=".tmp" mimeType="image/jpeg" />


web.config sample configuration

This code should be placed inside the "system.webServer" tag.