I've found many references to this while googling around, but no definite
answers. I'm wanting to get the refering page information in a perl/cgi
script and base the flow of the script on it. That is, if the request is
from a refering page that is 'authorized', the script continues on with it's
normal flow, but if the refering page is not authorized, the script will
exit. I've tried using the HTTP_REFERER variable, but in all cases it returns
an empty value regardless of the browser or the address the request
originates from. The old standard CGICount program seems to handle this
quite well, allowing only domains/pages entered in it's configuration to
access the counter, but this program is written in C and I don't see any
obvious correlations in it's source code that I can make sense of and try to
port over to Perl. Is there any other means of getting the referer
information other than through the $ENV{} variables?
Cheers,
Charles
>>>>> "Charles" == Charles Logan <clogan@no-spam> writes:
Charles> I've found many references to this while googling around, but no definite
Charles> answers. I'm wanting to get the refering page information in a perl/cgi
Charles> script and base the flow of the script on it.
No you don't. Referer is easily spoofed, sometimes stripped, and
sometimes wrong. You can log it, but only a fool would base a
security mechanism around it.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@no-spam> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
On Friday 08 August 2003 00:13, Randal L. Schwartz wrote:
> No you don't. Referer is easily spoofed, sometimes stripped, and
> sometimes wrong. You can log it, but only a fool would base a
> security mechanism around it.
Well, I'm certainly foolish enough without adding to it. So, does Perl offer
any fool proof mechanism to determine if a script is being called from
a local page, or if it's being 'borrowed' (hot linked) from some other site?
I don't know what information the C code I refered to uses, but it returns
the IP address and a full url of the requesting site that can be compared to
a list of allowed domains and/or pages. Even this may not offer 100%
security, but it appears to be enough to thwart all but the most hard core
hotlinkers and bandwith thiefs.
Cheers,
Charles
>>>>> "Charles" == Charles Logan <clogan@no-spam> writes:
Charles> Well, I'm certainly foolish enough without adding to it. So,
Charles> does Perl offer any fool proof mechanism to determine if a
Charles> script is being called from a local page, or if it's being
Charles> 'borrowed' (hot linked) from some other site?
No. That's exactly what you *can't* tell.
Charles> I don't know
Charles> what information the C code I refered to uses, but it returns
Charles> the IP address and a full url of the requesting site that can
Charles> be compared to a list of allowed domains and/or pages.
And it can be spoofed trivially.
Charles> Even
Charles> this may not offer 100% security, but it appears to be enough
Charles> to thwart all but the most hard core hotlinkers and bandwith
Charles> thiefs.
It's not hard core. It will lock out legitimate people, and it will
be trivially bypassed by those who want to do it.
It's like painting a lock on your door, and a sign that says "this
door is locked". You're just deluding yourself.
Find another security mechanism. This dog don't hunt.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@no-spam> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!