The purpose of captchas is to check a human being nature of requesters and help in bot attack prevention.

But what if malicios user will solve the captcha once and will try to use the data of the solved captcha to fill your site with a garbage?

To prevent this, MvcCaptcha library supports 2 modes of replay protection: cache (default) and session.

Configuration parameter named MvcCaptchaReplayProtectionMode drives replay protection mode selection. Out-of-the-box it is set to "cache" value. To engage session replay protection mode, set it to "session" value.

What is the difference between cache and session replay protection modes?

When session protection mode is used,MvcCaptcha library stores generated captcha data in user's web session and use it to validate user's answer. Right after the validation, stored captcha data is removed from the user's session, making it impossible to re-use solved captcha's data and resubmit data with the same captcha answer.

When cache protection mode is used, MvcCaptcha library does not use sessions or cookies to store generated captcha data. Instead, it renders hidden input element containing encrypted captcha token and later compares supplied user's answer with the token information in the hidden input element. To prevent solved captcha's data re-use, generated captcha token has limited lifetime. The duration of it is driven by configuration parameter MvcCaptchaReplayProtectionTokenValidity. Also, solved captcha data is stored in the cache for the duration of the token lifetime (validity) to prevent replay actions during token lifetime period.

Which replay protection mode should i use?

If your application does not use sessions, needs to suport cookie-less work or if you want to have more then one worker process and avoide session persistence infrastructure configuration, then "cache" protection mode is deninitely for you. The drawback of the "cache" protection mode is that users have to solve captchas in particular amount of time, limited by the captha's token lifetime and specified by MvcCaptchaReplayProtectionTokenValidity configuration parameter.

If you are fine with the session support in you application (including session persistence configuration and infrastructure setup for multi-worker environment), then use "session" protection mode. It will even slightly reduce the page size, due to the absence of hidden input element to store generated captcha encrypted data.