Web Analytics Made Easy -
StatCounter Ensuring CGI script executed from my server - CodingForum


No announcement yet.

Ensuring CGI script executed from my server

  • Filter
  • Time
  • Show
Clear All
new posts

  • Ensuring CGI script executed from my server

    Hi there,
    I've had a look and can't seem to find this question anywhere, but please forgive me if it is answered elsewhere.
    The problem is thus: how to ensure CGI scripts are being called from pages on my site, and not 'hot linked' from elsewhere?
    The HTTP_REFERER was a dodgy method I used to employ up until recently where it was becoming so problamatic it simply cannot be used anymore.
    Has anyone any suggestions for further avenues of investigation or any nice little code snippets that can check the referring page?
    I may have to go down the session management type route but this will mean recoding an entire site to accomodate such a method, so preferably avoided if at all possible
    Many thanks.

  • #2
    you can't use the http_referer with any certainty at all because http headers are easily faked. Many perl coders think it is so useless they don't even bother with it.

    You could try using a cookie. The user gets a cookie when they load your form into their browser. They send the form data and your script also collects the value of the cookie. If the proper cookie value is not present the script aborts.

    This is also not fool-proof but should keep bots from using your forms and will stop most remote use of the form.

    Your suggestion is probably the best one though.


    • #3
      Thanks for the reply Kevin.
      I had considered cookies but this is also unpractical due to the cgi pages in question are not form processing ones, rather scripts which generate the site content. This also wouldn't prevent testing from where the script has been accessed from.
      I've had a few problems with other sites just housing some elements of mine within a frame - HTTP_REFERER used to catch most of these but now that's not even getting set anymore.
      As far as I can tell there is no relatively easy way out of this.
      I'm sure this most be a common problem, and one which I find odd why no-one has a simple solution yet


      • #4
        htaccess might help.


        • #5
          Yup htaccess may help but I'd like to do this entirely within the scripting if I can.
          I've considered now creating an index.cgi which will generate the page with links to the other sections containing encrypted session type vars.
          Then have each relevent cgi script check for a valid session string.
          A royal pain in the back-side but I'm sure that will keep things relatively safe.
          Thanks anyway.