At 10:56 AM -0700 7/9/99, Tomer Tishgarten wrote: >During my lunch break I created a temporary fix. By converting the >command if for until, I was able to modify the way that perl checked >the username and password (I learned for the first time last night >that perl always assumes a statement is true under the if statement). Hmmm? Not sure what you mean by the last statement ... :-) >But, I wanted to install an additional bit of security that I >discovered I could not implement. When I tried to print all of the >$ENV variables I got: [snip] >If you look carefully, you'll notice that I missing the HTTP_REFERER >variable. Why am missing this variable? Is there module that I need >to be running in order to get it? IMO, passive ways of IDing are a waste of time. HTTP_REFERER just isn't a reliable environment variable, especially if you're using it for authentication. It's not reliable because: 1. Sometimes there is no value, for example when someone comes to your site by means of choosing it from their menu of bookmarked pages, rather then clicking a hyperlink to request the URL. 2. It's possible for the web browser to prevent HTTP_REFERER from being sent. As a user I like that; I'm not especially interested in letting someone trace what sites I've visited. As a programmer, I understand that I can't rely on it, just like I can't rely on visitors having javascript enabled. (See iCab for a web browser that lets you prevent HTTP_REFERER from being sent (it's a preview; get release 1.5 or later; go to http://www.icab.de.) Beyond HTTP_REFERER, environment variables in general are not reliable ways of identifying or authenticating a visitor to a public web site. Just ask 'em who they are. Give 'em a password if necessary; keep a table of valid passwords tucked away (encrypted in a file, hard coded right in the script, etc.) where your authentication script or subroutine can find it. This is not only a programming issue. Promote trust in your sites rather than paranoia, by being up front regarding what you know or want to know about your visitors. - Bruce ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bruce Van Allen bva@cruzio.com 831/429-1688 P.O. Box 839 Santa Cruz, CA 95061 ==== Want to unsubscribe from this list? ==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org