mvc generate captcha after failed login attempt

so i was able to make my recaptcha thing working but my problem is though, i want to have it appear only after 3 tries. one option that i have is to redirect the user to a View that will have the captcha already (duplicate of the login but with captcha) and then have him log in through that page. is there any other option? i开发者_C百科 feel like partial views would cause problems on Post of the page. what do you think is the best way to generate the captcha?

    <% using(Html.BeginForm()) {%>
      <%: Html.AntiForgeryToken() %>
      <%: Html.ValidationSummary() %>
      <label>Username:</label>
      <%: Html.TextBoxFor(m => m.Username) %>
      <br /><br />
      <label>Password:</label>
      <%: Html.PasswordFor(m => m.Password) %>
      <br /><br />
      <input type="submit" value="Login" />
      <%: Html.ActionLink("Register", "Register", "") %>
      <%: Html.ActionLink("Forgot Password", "Password", "") %>
      <%: Html.ActionLink("Forgot Username", "Username", "") %>


      <%: ReCaptcha.GetHtml(publicKey: "thisismykey", theme: "red") %>


    <% } %>

THanks, G

You are passing in a model (hopefully a ViewModel). Why not add NumberOfFailedLogins to it?

Then you could just put a bit of code around the Recaptcha saying

<%: if (Model.NumberofFailedLogins > 3) { %>
<%: ReCaptcha.GetHtml(publicKey: "thisismykey", theme: "red") %>
<% } %>

NOTE: I am used to Razor syntax, so apologies if the above is not perfect. I'm sure you get the idea!

Obviously you would need to update NumberOfFailedLogins behind the scenes!

EDIT: Just to clarify, the number of failed login attempts ought to be recorded in the membership database behind the scenes automatically (the act of attempting to login would do this; note that the ASP.NET Membership Provider automatically records the number of consecutive failed login attempts out of the box) and it is from there that the ViewModel obtains this information. So it doesn't matter if you are using a bot to attempt to brute-force your way in, it can still be presented with the ReCaptcha after three attempts (and of course can be locked out too if desired).