[gopher] gopher sessions for CGI's
Chris Yealy
octotep at SDF.ORG
Wed May 30 17:51:36 UTC 2012
On Wed, 30 May 2012, Kim Holviala wrote:
> How do you prevent search engines from "stealing" a session? What I mean is;
> when a search engine enters your site, it becomes for example session
> number "123". Now every person who comes to your site through the search
> engines also has the same session ID pretty much breaking the whole
> thing....
That's a good point, and I didn't originally think of that when I wrote
the my proposal. Damien had a good suggestion when he mentioned
robots.txt. Since all my CGIs are in the games folder on my gopher site I
would just do something like this
User-agent: *
Disallow: /users/octotep/games/
or if I just have one CGI which requires sessions:
User-agent: *
Disallow: /users/octotep/games/sess.cgi
robots.txt would be a very effective way to stop search engines from
browsing CGIs. I would personally block all CGIs regardless of
whether they use sessions or not because I don't like search engines
browsing my CGIs. I had a problem with google crawling FTP through a
gopher proxy and my ftp CGI gateway script... (Just look at the second
page or so of google results for octotep)
Or even if that isn't an option, clever programming can defeat a bot. For
example, if a game requires a session, perhaps make the user enter a name.
If a name is given make CGI give a link to the game and a session number
(maybe even a welcome message to make the process seem worthwhile). If no
name is given, do _not_ give a link to the game of give a session number.
Only a bot which is crawling selectors wouldn't give a name. Therefore,
the session is never supplied to the bot. Bot: Defeated. Day: Saved.
> I've thought about using the URI for parameters, but it just doesn't
> work, and it looks ugly...
Besides that point, I don't see how it wouldn't work... If there is
something else I missed, please mention it. I will admit that:
gopher://sdf.org/1/gs-aw4h12/users/octotep/sess.cgi
would be uglier that the alternative, but I believe that the trade off of
gained functionality versus beauty is worth it, but that might just be me.
Also, the proposal only suggests to use this when it is *absolutely
necessary*. If a CGI doesn't need it, don't bother with it. It just
unnecessarily complicates things. With reduced usage I don't really see it
as much of a problem.
Regards,
Chris
More information about the Gopher-Project
mailing list