On Mon, 4 Jun 2001, Kurt Edmiston wrote:
> Hi, I want to limit access to one of my scripts. I have a list of web
> pages that are authorized to call my script, and I want to disable the
> script if another unauthorized page calls it. My code to do this looks
> like the following:
>
>
> my $referer = $ENV{HTTP_REFERER};
> my $legal_referer;
> my(@legal_referers) = ("http://www.some-url.com/page1.html";); #
> list of authorized pages
> my $clear = 0;
>
> foreach $legal_referer (@legal_referers)
> {
> if ($legal_referer eq $referer)
> { $clear = 1; }
> }
>
> if (!$clear)
> { # kill the script }
> ...
>
> I want to know if this is a good (safe) way to do this. I'm open to any
> suggestions. Thanks in advance.
IP addresses can be spoofed, and authenticating against a referrer address
is not at all secure. You are better off, IMHO, using basic
authentication or some other authentication mechanism through your web
server, perhaps with appropriate session management.
Have you read http://www.w3.org/Security/Faq/wwwsf3.html? This required
reading if you are thinking of implementing any kidn of security on your
web site (this page is maintained by the same guy who wrote our beloved
CGI.pm :-) )
-- Brett
Brett W. McCoy
Software Engineer
Broadsoft, Inc.
240-364-5225
[EMAIL PROTECTED]
