Simple security script baffling...

Discussion in 'Perl Misc' started by mortgages2005@aol.com, Apr 23, 2005.

  1. Guest

    Hello all. I'm trying to secure my script using $ENV{'HTTP_REFERER'}
    and it keeps coming up blank. It's strange:
    The customer actually comes from paypal.com and I wanted to test this
    url for ENV{'HTTP_REFERER'} in order to let the person gain access to
    create a new account. I decided to just try using my own server instead
    but I get nothing in this ENV variable.

    Here is the code:

    $origin=$ENV{'HTTP_REFERER'};
    $true=0;
    if ($origin=~ m#^http://www.mortgage-applications-online.com/#) {
    $true=1;
    print "Content-type: text/html\n\n";
    print "<H1>Unauthorized Access</h1><br>";
    print $origin . "\n\n";
    print $true;
    exit;

    The $origin variable yields NOTHING at all! Can some pelase explain the
    problem here?

    How else can I prevent someone from accessing my script without paying
    first?

    Thanks.

    Scot King
    , Apr 23, 2005
    #1
    1. Advertising

  2. Tintin Guest

    <> wrote in message
    news:...
    > Hello all. I'm trying to secure my script using $ENV{'HTTP_REFERER'}
    > and it keeps coming up blank.


    It's a very bad idea to rely on HTTP_REFERER as it is easy to forge, or
    maybe disabled at the client end or stripped off by proxy servers.

    >It's strange:
    > The customer actually comes from paypal.com and I wanted to test this
    > url for ENV{'HTTP_REFERER'} in order to let the person gain access to
    > create a new account. I decided to just try using my own server instead
    > but I get nothing in this ENV variable.


    Exactly. It may or may not be set. And if it is set, you can't guarantee
    the contents are valid.

    >
    > Here is the code:
    >
    > $origin=$ENV{'HTTP_REFERER'};
    > $true=0;
    > if ($origin=~ m#^http://www.mortgage-applications-online.com/#) {
    > $true=1;
    > print "Content-type: text/html\n\n";
    > print "<H1>Unauthorized Access</h1><br>";
    > print $origin . "\n\n";
    > print $true;
    > exit;
    >
    > The $origin variable yields NOTHING at all! Can some pelase explain the
    > problem here?
    >
    > How else can I prevent someone from accessing my script without paying
    > first?


    Setup one of the many authentication methods. However, none of this is
    relevant to Perl (unless you choose to implement your authentication via a
    Perl script).
    Tintin, Apr 23, 2005
    #2
    1. Advertising

  3. wrote:

    > $origin=$ENV{'HTTP_REFERER'};


    ....

    > The $origin variable yields NOTHING at all! Can some pelase explain the
    > problem here?


    There is no problem. The HTTP_REFERER variable is optional - user agents
    are not required to provide one. Nor, if one happens to be provided, do
    you have any way to verify its accuracy.

    The problem would have been if you had developed a false sense of
    security from using such an unreliable mechanism.

    > How else can I prevent someone from accessing my script without paying
    > first?


    When an account is paid for, create a login and password. Configure your
    server to use "HTTP basic authorization" (Google for it), and refuse
    access to anyone not logged in.

    sherm--

    --
    Cocoa programming in Perl: http://camelbones.sourceforge.net
    Hire me! My resume: http://www.dot-app.org
    Sherm Pendley, Apr 23, 2005
    #3
  4. Guest

    Look,

    Thanks for your input. However, the problem is, what your saying to
    do, (i.e. let them create a user name password) is exactly what I do
    after they come from the paypal website. They have to sign up for an
    account, and that's part of the sign up process. They choose a user
    name and password. I use a htta password protected subdirectory for
    all of their info.

    I need to only authorize a link from my server to operate the program,
    and anyone who tries otherwise gets an error message.

    How do I do this, before invoking the program that allows them to
    create their account? Do I have to let them create just a user name
    password first? This is not the procedure I use on my site.My program
    prompts them the enter a username password, company info, etc. It's
    this program that needs protecting.
    , Apr 23, 2005
    #4
  5. wrote:
    > I'm trying to secure my script using $ENV{'HTTP_REFERER'}


    As others have told you: Bad idea!

    > The customer actually comes from paypal.com


    PayPal provides tools for automatically creating a username/password
    pair (basic authentication) when somebody has made a subscription
    payment. I'm using it for just that purpose: access to a script (see
    http://www.gunnar.cc/mailman.html).

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
    Gunnar Hjalmarsson, Apr 23, 2005
    #5
  6. Guest

    Where are these tools on paypal? I looked all over. Do I provide
    these username.password pairs to paypal? If not, how else am I
    supposed to verify if they are valid on my site?
    , Apr 23, 2005
    #6
  7. Guest

    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    Baffling question

    Guest, Nov 8, 2003, in forum: ASP .Net
    Replies:
    4
    Views:
    335
    Guest
    Nov 9, 2003
  2. =?Utf-8?B?Q2hhcmxlc0E=?=

    simple but baffling javascript prob

    =?Utf-8?B?Q2hhcmxlc0E=?=, Mar 22, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    5,510
    Gozirra
    Mar 22, 2006
  3. =?Utf-8?B?Q2hhcmxlc0E=?=

    v easy but baffling to me CSS question

    =?Utf-8?B?Q2hhcmxlc0E=?=, Apr 5, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    1,407
    =?Utf-8?B?Q2hhcmxlc0E=?=
    Apr 5, 2006
  4. Replies:
    1
    Views:
    431
    John C. Bollinger
    May 26, 2005
  5. Swengtoo
    Replies:
    2
    Views:
    416
    tom_usenet
    Feb 6, 2004
Loading...

Share This Page