Re: [gopher] gopher sessions for CGI's
On Wed, 30 May 2012, Kim Holviala wrote:
How do you prevent search engines from "stealing" a session? What I mean is;
when a search engine enters your site, it becomes for example session
number "123". Now every person who comes to your site through the search
engines also has the same session ID pretty much breaking the whole
thing....
That's a good point, and I didn't originally think of that when I wrote
the my proposal. Damien had a good suggestion when he mentioned
robots.txt. Since all my CGIs are in the games folder on my gopher site I
would just do something like this
User-agent: *
Disallow: /users/octotep/games/
or if I just have one CGI which requires sessions:
User-agent: *
Disallow: /users/octotep/games/sess.cgi
robots.txt would be a very effective way to stop search engines from
browsing CGIs. I would personally block all CGIs regardless of
whether they use sessions or not because I don't like search engines
browsing my CGIs. I had a problem with google crawling FTP through a
gopher proxy and my ftp CGI gateway script... (Just look at the second
page or so of google results for octotep)
Or even if that isn't an option, clever programming can defeat a bot. For
example, if a game requires a session, perhaps make the user enter a name.
If a name is given make CGI give a link to the game and a session number
(maybe even a welcome message to make the process seem worthwhile). If no
name is given, do _not_ give a link to the game of give a session number.
Only a bot which is crawling selectors wouldn't give a name. Therefore,
the session is never supplied to the bot. Bot: Defeated. Day: Saved.
I've thought about using the URI for parameters, but it just doesn't
work, and it looks ugly...
Besides that point, I don't see how it wouldn't work... If there is
something else I missed, please mention it. I will admit that:
gopher://sdf.org/1/gs-aw4h12/users/octotep/sess.cgi
would be uglier that the alternative, but I believe that the trade off of
gained functionality versus beauty is worth it, but that might just be me.
Also, the proposal only suggests to use this when it is *absolutely
necessary*. If a CGI doesn't need it, don't bother with it. It just
unnecessarily complicates things. With reduced usage I don't really see it
as much of a problem.
Regards,
Chris
_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project
Reply to: