[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

[MacPerl-WebCGI] %ENV vars & authentication [was: replicating chmod command on amac]

To: macperl-webcgi@macperl.org
Subject: [MacPerl-WebCGI] %ENV vars & authentication [was: replicating chmod command on amac]
From: Bruce Van Allen <bva@cruzio.com>
Date: Fri, 9 Jul 1999 23:44:13 -0700
In-Reply-To: <v04210103b3abe4affb5a@[128.192.13.223]>
References: <v04011701b3ab021125da@[165.227.130.137]><v04011701b3ab021125da@[165.227.130.137]>

At 10:56 AM -0700 7/9/99, Tomer Tishgarten wrote:
>During my lunch break I created a temporary fix.  By converting the
>command if for until, I was able to modify the way that perl checked
>the username and password (I learned for the first time last night
>that perl always assumes a statement is true under the if statement).

Hmmm? Not sure what you mean by the last statement ... :-)

>But, I wanted to install an additional bit of security that I
>discovered I could not implement.  When I tried to print all of the
>$ENV variables I got:

[snip]

>If you look carefully, you'll notice that I missing the HTTP_REFERER
>variable.  Why am missing this variable?  Is there module that I need
>to be running in order to get it?

IMO, passive ways of IDing are a waste of time.

HTTP_REFERER just isn't a reliable environment variable, especially if
you're using it for authentication. It's not reliable because:

1. Sometimes there is no value, for example when someone comes to your site
by means of choosing it from their menu of bookmarked pages, rather then
clicking a hyperlink to request the URL.

2. It's possible for the web browser to prevent HTTP_REFERER from being
sent. As a user I like that; I'm not especially interested in letting
someone trace what sites I've visited. As a programmer, I understand that I
can't rely on it, just like I can't rely on visitors having javascript
enabled. (See iCab for a web browser that lets you prevent HTTP_REFERER
from being sent (it's a preview; get release 1.5 or later; go to
http://www.icab.de.)

Beyond HTTP_REFERER, environment variables in general are not reliable ways
of identifying or authenticating a visitor to a public web site.

Just ask 'em who they are. Give 'em a password if necessary; keep a table
of valid passwords tucked away (encrypted in a file, hard coded right in
the script, etc.) where your authentication script or subroutine can find
it.

This is not only a programming issue. Promote trust in your sites rather
than paranoia, by being up front regarding what you know or want to know
about your visitors.

- Bruce

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bruce Van Allen
bva@cruzio.com
831/429-1688
P.O. Box 839
Santa Cruz, CA  95061

==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org

References:
- Re: [MacPerl-WebCGI] replicating chmod command on a mac
  - From: Bruce Van Allen <bva@cruzio.com>
- [MacPerl-WebCGI] Re: Re: replicating chmod command on a mac
  - From: Tomer Tishgarten <ttishgar@arches.uga.edu>

Prev by Date: Re: [MacPerl-WebCGI] replicating chmod command on a mac
Next by Date: [MacPerl-WebCGI] Re: [MacPerl] test cgi without connection
Prev by thread: Re: [MacPerl-WebCGI] replicating chmod command on a mac
Next by thread: [MacPerl-WebCGI] To the recent e-mail questions...
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net