[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

[MacPerl-WebCGI] %ENV vars & authentication [was: replicating chmod command on amac]



At 10:56 AM -0700 7/9/99, Tomer Tishgarten wrote:
>During my lunch break I created a temporary fix.  By converting the
>command if for until, I was able to modify the way that perl checked
>the username and password (I learned for the first time last night
>that perl always assumes a statement is true under the if statement).

Hmmm? Not sure what you mean by the last statement ... :-)


>But, I wanted to install an additional bit of security that I
>discovered I could not implement.  When I tried to print all of the
>$ENV variables I got:

[snip]

>If you look carefully, you'll notice that I missing the HTTP_REFERER
>variable.  Why am missing this variable?  Is there module that I need
>to be running in order to get it?

IMO, passive ways of IDing are a waste of time.

HTTP_REFERER just isn't a reliable environment variable, especially if
you're using it for authentication. It's not reliable because:

1. Sometimes there is no value, for example when someone comes to your site
by means of choosing it from their menu of bookmarked pages, rather then
clicking a hyperlink to request the URL.

2. It's possible for the web browser to prevent HTTP_REFERER from being
sent. As a user I like that; I'm not especially interested in letting
someone trace what sites I've visited. As a programmer, I understand that I
can't rely on it, just like I can't rely on visitors having javascript
enabled. (See iCab for a web browser that lets you prevent HTTP_REFERER
from being sent (it's a preview; get release 1.5 or later; go to
http://www.icab.de.)

Beyond HTTP_REFERER, environment variables in general are not reliable ways
of identifying or authenticating a visitor to a public web site.

Just ask 'em who they are. Give 'em a password if necessary; keep a table
of valid passwords tucked away (encrypted in a file, hard coded right in
the script, etc.) where your authentication script or subroutine can find
it.

This is not only a programming issue. Promote trust in your sites rather
than paranoia, by being up front regarding what you know or want to know
about your visitors.

- Bruce

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bruce Van Allen
bva@cruzio.com
831/429-1688
P.O. Box 839
Santa Cruz, CA  95061

==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org