Re: [gopher] gopher sessions for CGI's

To: Gopher Project Discussion <gopher-project@lists.alioth.debian.org>
Subject: Re: [gopher] gopher sessions for CGI's
From: Chris Yealy <octotep@SDF.ORG>
Date: Wed, 30 May 2012 13:51:36 -0400 (EDT)
Message-id: <[🔎] Pine.NEB.4.64.1205301307520.20775@sdf.lonestar.org>
Reply-to: Gopher Project Discussion <gopher-project@lists.alioth.debian.org>
In-reply-to: <[🔎] D66E8756-9E0D-493B-B132-C40CE33686C7@holviala.com>
References: <[🔎] Pine.NEB.4.64.1205250951290.21941@miku.sdf.org> <[🔎] D66E8756-9E0D-493B-B132-C40CE33686C7@holviala.com>

On Wed, 30 May 2012, Kim Holviala wrote:

How do you prevent search engines from "stealing" a session? What I mean is;
when a search engine enters your site, it becomes for example sessionnumber "123". Now every person who comes to your site through the searchengines also has the same session ID pretty much breaking the wholething....

That's a good point, and I didn't originally think of that when I wrotethe my proposal. Damien had a good suggestion when he mentionedrobots.txt. Since all my CGIs are in the games folder on my gopher site Iwould just do something like this


User-agent: *
Disallow: /users/octotep/games/

or if I just have one CGI which requires sessions:

User-agent: *
Disallow: /users/octotep/games/sess.cgi

robots.txt would be a very effective way to stop search engines frombrowsing CGIs. I would personally block all CGIs regardless ofwhether they use sessions or not because I don't like search enginesbrowsing my CGIs. I had a problem with google crawling FTP through agopher proxy and my ftp CGI gateway script... (Just look at the secondpage or so of google results for octotep)

Or even if that isn't an option, clever programming can defeat a bot. Forexample, if a game requires a session, perhaps make the user enter a name.If a name is given make CGI give a link to the game and a session number(maybe even a welcome message to make the process seem worthwhile). If noname is given, do _not_ give a link to the game of give a session number.Only a bot which is crawling selectors wouldn't give a name. Therefore,the session is never supplied to the bot. Bot: Defeated. Day: Saved.

I've thought about using the URI for parameters, but it just doesn'twork, and it looks ugly...

Besides that point, I don't see how it wouldn't work... If there issomething else I missed, please mention it. I will admit that:


gopher://sdf.org/1/gs-aw4h12/users/octotep/sess.cgi

would be uglier that the alternative, but I believe that the trade off ofgained functionality versus beauty is worth it, but that might just be me.Also, the proposal only suggests to use this when it is *absolutelynecessary*. If a CGI doesn't need it, don't bother with it. It justunnecessarily complicates things. With reduced usage I don't really see itas much of a problem.


Regards,
Chris


_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project

Reply to:

References:
- [gopher] gopher sessions for CGI's
  - From: Chris Yealy <octotep@SDF.ORG>
- Re: [gopher] gopher sessions for CGI's
  - From: Kim Holviala <kim@holviala.com>

Prev by Date: [gopher] OT: Google indexes finger?
Previous by thread: Re: [gopher] gopher sessions for CGI's
Next by thread: [gopher] OT: Google indexes finger?
Index(es):
- Date
- Thread