Share this page

Projects
Publications
People
Downloads

    Introducing the new Microsoft Research
    Web site. Find out what’s new…

    Share this page E-mail this page Print this page RSS feeds
    Home ProjectsASIRRA > Asirra — Installation Instructions
    Asirra — Installation Instructions

    Protecting your web site with Asirra is easy. It just takes a few lines of code in whatever language your web service is written in. See these complete working examples:
    There are four basic steps, described below. First, add a call to our JavaScript from your web form. Second, wire your "submit" button to our Asirra validation function. Third, write your own JavaScript function that submits the form once you get a callback saying the Asirra challenge has been successfully solved. Finally, add a call to our web service from your server form processor, to ensure that you are not getting a request from a cheating client.

    Step 1. Call our JavaScript from your web form.

    Somewhere in your form, import Asirra's client JavaScript. The point at which you include the script will have a div added containing the challenge. This must be inside a form.
    <script type="text/javascript" src="http://challenge.asirra.com/js/AsirraClientSide.js"></script>
    Optional: If you'd like to customize the look of the Asirra challenge, also include the code below. A complete example can be found by performing view-source on our Example Service.
    <script type="text/javascript">
    // You can control where the big version of the photos appear by
    // changing this to top, bottom, left, or right
    asirraState.SetEnlargedPosition("top");

    // You can control the aspect ratio of the box by changing this constant
    asirraState.SetCellsPerRow(6);
    </script>

    Step 2. Arrange for your form to validate using onsubmit().

    Here is a typical form arrangement, where the form's onsubmit property calls a site-specific validation function MySubmitForm(). In the next step, we'll modify the validation function to include a call to Asirra.
    <form action="ExampleService.py" method="get" id="mainForm" onsubmit="return MySubmitForm();">
          User Name: <input type="text" name="UserName">
          Favorite Color: <input type="text" name="FavoriteColor">
          <script type="text/javascript" src="http://challenge.asirra.com/js/AsirraClientSide.js"></script>
          <input type="submit" value="Submit">
    </form>

    Step 3. Write a JavaScript function that submits the form if the user is human.

    The callback function that you passed as an argument to Asirra_CheckIfHuman() will get called once the Asirra server has determined if the user has passed the challenge. Your callback should take one argument, which will be either true or false, depending on if the user is human.

    Because the callback gets called asynchronously, we have to restart the form submission process once the HIP is passed. To prevent an infinite loop, we use a state variable passThroughFormSubmit to disable the check on the second submission.

    If the user is human, submit the form. If not, notify the user that they should try the HIP again. Our example below uses an alert(), but feel free to do something more elegant.
    <script type="text/javascript">
    var passThroughFormSubmit = false;
    function MySubmitForm()
    {
         if (passThroughFormSubmit) {
              return true;
         }
         // Do site-specific form validation here, then...
         Asirra_CheckIfHuman(HumanCheckComplete);
         return false;
    }
    function HumanCheckComplete(isHuman)
    {
         if (!isHuman)
         {
              alert("Please correctly identify the cats.");
         }
         else
         {
              passThroughFormSubmit = true;
              formElt = document.getElementById("mainForm");
              formElt.submit();
         }
    }
    </script>

    Step 4. Have your back-end form processor validate that the challenge has been passed.

    This is a critical step; without it, clients can simply bypass Asirra by disabling or circumventing the Asirra JavaScript.

    If a client successfully passes an Asirra challenge, our JavaScript will set a hidden input field in your form called Asirra_Ticket. The value of this field will be a special string that your form processor can use to verify that the client has actually passed the challenge.

    When your processor receives form data, pass the contents of the Asirra_Ticket field to the following URL (replace FORMDATA with the value of Asirra_Ticket):
    http://challenge.asirra.com/cgi/Asirra?action=ValidateTicket&ticket=FORMDATA

    The result will be a bit of XML that either indicates the ticket is valid:
    <AsirraValidation>
        <Result>Pass</Result>
        <Debug></Debug>
    </AsirraValidation>
    ...or that it isn't:
    <AsirraValidation>
        <Result>Fail</Result>
        <Debug>exceptions.Exception: invalid ticket format</Debug>
    </AsirraValidation>
    Note that a ticket can only be redeemed once. Any subsequent attempt to validate the same ticket will result in failure.

    See our example form processors written in Python, PHP, C#, VB, JScript, and Perl, all of which have links to the source code of the back-end form processor. Asirra can be invoked from other languages, as well.