[gopher] gopher sessions for CGI's

Chris Yealy octotep at SDF.ORG
Wed May 30 17:51:36 UTC 2012 

On Wed, 30 May 2012, Kim Holviala wrote:

> How do you prevent search engines from "stealing" a session? What I mean is;
> when a search engine enters your site, it becomes for example session 
> number "123". Now every person who comes to your site through the search 
> engines also has the same session ID pretty much breaking the whole 
> thing....

That's a good point, and I didn't originally think of that when I wrote 
the my proposal. Damien had a good suggestion when he mentioned 
robots.txt. Since all my CGIs are in the games folder on my gopher site I 
would just do something like this

User-agent: *
Disallow: /users/octotep/games/

or if I just have one CGI which requires sessions:

User-agent: *
Disallow: /users/octotep/games/sess.cgi

robots.txt would be a very effective way to stop search engines from 
browsing CGIs. I would personally block all CGIs regardless of 
whether they use sessions or not because I don't like search engines 
browsing my CGIs. I had a problem with google crawling FTP through a 
gopher proxy and my ftp CGI gateway script... (Just look at the second 
page or so of google results for octotep)

Or even if that isn't an option, clever programming can defeat a bot. For 
example, if a game requires a session, perhaps make the user enter a name. 
If a name is given make CGI give a link to the game and a session number 
(maybe even a welcome message to make the process seem worthwhile). If no 
name is given, do _not_ give a link to the game of give a session number. 
Only a bot which is crawling selectors wouldn't give a name. Therefore, 
the session is never supplied to the bot. Bot: Defeated. Day: Saved.

> I've thought about using the URI for parameters, but it just doesn't 
> work, and it looks ugly...

Besides that point, I don't see how it wouldn't work... If there is 
something else I missed, please mention it. I will admit that:

gopher://sdf.org/1/gs-aw4h12/users/octotep/sess.cgi

would be uglier that the alternative, but I believe that the trade off of 
gained functionality versus beauty is worth it, but that might just be me.
Also, the proposal only suggests to use this when it is *absolutely 
necessary*. If a CGI doesn't need it, don't bother with it. It just 
unnecessarily complicates things. With reduced usage I don't really see it 
as much of a problem.

Regards,
Chris

More information about the Gopher-Project mailing list