Or what if the href= component of hyperlinks was mangled in some way (for user "nobody") but then some javascript is run after the page loads to unmangle the hyperlinks. Would that work?
On Thu, Feb 17, 2011 at 12:35 PM, Richard Hipp <d...@sqlite.org> wrote: > > > On Thu, Feb 17, 2011 at 12:14 PM, Zed A. Shaw <zeds...@zedshaw.com> wrote: > >> On Thu, Feb 17, 2011 at 09:34:49AM -0500, Richard Hipp wrote: >> > On the http://www.fossil-scm.org/ website (which, as you know, is >> really >> > just an instance of Fossil running as CGI) I have added to the Fossil >> > header: >> > >> > <meta name="ROBOTS" content="NOFOLLOW"> >> >> I have an idea that might work. What you want is a way to make sure >> it's a browser vs. a bot, basically a "login" that happens automatically >> for people using a browser, but doesn't happen for bots. >> >> First thing is, you require cookies to browse the site. >> >> Next, you have the "login" page with a light option. What the Light >> Login Page does is use some javascript to do a minor calculation and >> then set a nonce as a cookie. It wouldn't have to be that complex, just >> something that is calculated in javascript that can be verified in >> fossil. >> >> Then, fossil is setup so that anyone without this nonce is sent to the >> LLP. If they have cookies turned on and can calculate the nonce then >> they're just redirected back to where they were trying to go. If not >> then they're shown a message that says they have to turn cookies on >> because they look like a bot. >> >> After that, anyone with the nonce is considered "logged in". >> >> In fact, you could probably do this right now with the current login >> scheme and the anonymous login button. Just change the javascript to do >> an automated form submit without requiring a button click. >> >> Anyway, if all you need to do is block bots then it's trivial to just >> make a simple javascript based automatic login system that only works in >> a browser. People could subvert it, but it'd be a special case that you >> could handle. >> > > Can we simply put a little java-script code in the header that checks for > the existance of the anonymous login" cookie, and if not found sets it and > redirects back to itself? Would that not work? > > Can somebody suggest some appropriate javascript? > > > >> >> -- >> >> Zed A. Shaw >> http://zedshaw.com/ >> _______________________________________________ >> fossil-users mailing list >> fossil-users@lists.fossil-scm.org >> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users >> > > > > -- > D. Richard Hipp > d...@sqlite.org > -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
