>I've written a cgi script that returns the web URL last visited. However, >it only works when the last page visited is my own web page, not when >I've visited Apple's page last (and call the cgi directly). Could it be a >limitation that providers impose? Yes and no. Consider: Do you yourself want some webmaster to be able to see that you were just visiting his/her competitor's site? Environment variables are rather optional and only partially reliable. It's not hard to hide them or alter their contents for good purposes or ill, either from the server side or the client side. >I've a bit difficulty understanding the usefulness of HTTP_REFERER when I >can see it contents only if someone lands at my site via a cgi script. >So, I would see no posibility to see how people ended up at my website. You have the crux of the issue here. Environment variables should generally be considered ornamentation, unless you want to use them to casually track a visitor's path through your site, in which case you should still consider them decorative. Don't reveal sensitive information based on these variables, and don't charge people money based on them, either. Cookies appear to be more reliable, but you still should not base any security solely on the contents of a cookie. Cookies can also be rigged. >When I've made a file executable, I can drag a replacement (with the same >name) in the cgi-bin folder and I don't have to make it executable again. >Is that the general behaviour, i.e. does the server keep a list of names >of executable files? Are we talking about a Mac server or some other server? In the UNIX world, servers tend to base executability on three indicators: file permissions, file name extensions, and folders/directories. The server is usually told to make executables accessible only in the cgi directory, which is often set to be cgi-local or cgi-bin. You can still require specific extensions (.cgi, .pl, etc.) within this directory. (On the other hand, html in the cgi directory is often not accessible.) Then you must set the file permissions on each cgi program file to allow execution by users making requests to the web server, meaning your usual visitor-from-who-knows-where. Thinking about this, some systems set permissions according to the overwritten file when overwriting files, which would give the result you mention above without actually requiring the system to track anything. Servers on the Mac might exhibit similar behaviour for similar reasons. HTH rees_joel@fujicomp.co.jp http://www.fujicomp.co.jp http://www.udit.gr.jp ==== Want to unsubscribe from this list? ==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org