Very interesting question (not very specific title :P )

[spyderco]

I'm rewritting a link tracker. You write your HTML urls you wish to track so they point to:

http://www.yourdomain.com/cgi-bin/track.pl?url=www.yourdomain.com/page2.html.

After it logs the URL, it adds the statistics (ip, time, number of clicks, etc) then it redirects to the URL.

That's done and it works.

I want to make it more secure where only links called from the domain where the tracker is on will be executed. This is to say, I don't want YOU to be able to make a link pointed to the tracker on my server and add your useless junk to my database.

I know most people wouldn't do that but there's always those people around trying to screw you up, you know?

HTTP REFERRER doesn't work for some reason, it's not secure anyway. I do NOT want to be forced to predeclare "safe" URLs in the script and check on those. I want it to be setup where I can just make a standard HTML link call on my page and if it's pushed, it automatically sets itself up in my database.

Someone mentioned to use a "cryptographic hash" or something? Didn't know what that meant.

So I need ideas on how to make it so only links on my domain can pass info to the tracker.

Thank you!

 

[tviman]

HTTP-REFERRER should work and will be the best way to accomplish what you want. Once you've got it working, you could maybe create a database of "allowable" URL's and then test that value when it accesses your script.

Run this code to see what HTTP-REFERRER is sending to your scripts:

#!/usr/bin/perl -w

use strict;

print "Content-type: text/html\n\n";

my $var_name;
foreach $var_name ( sort keys %ENV ) {
  print "<P><B>$var_name</B><BR>";
  print $ENV{$var_name};
}

There's always a better way. The fun is trying to find it!

 

[spyderco]

For some reason the referrer isn't picking up. That's one reason it can't be used as an alternative really.

Any idea what they meant by a crypto hash?



Thanks.

 

[PaulTEG]

HTTP-REFERER, only one R, where sometimes people think there's two ;-)

--Paul

cigless ...

 

[tviman]

Ooops..... my aplologies

Thanks for the sharp eye, Paul!

BTW - does cigless mean that you've recently quit smoking?

There's always a better way. The fun is trying to find it!

 

[tviman]

darn, did it again (apologies)...

guess I shouldn't get on the keyboard so soon after washing my hands.....



There's always a better way. The fun is trying to find it!

 

[Rieekan]

Spyder, when testing for HTTP_REFERER, you need to be sure you're linking to the script from another page. Going directly to the page won't return the referer as you haven't been refered to the page.

- Rieekan

 

[ChrisHunt]

Also, bear in mind that some security software/settings will stop browsers sending anything in HTTP_REFERER, so you need to allow the value to be blank. Furthermore, like anything that comes from a browser, it's an easy thing for somebody to spoof if they want to.

Personally I can't see what earthly benefit anybody would gain from abusing your tracker, but HTTP_REFERER isn't going to stop anybody who puts the slightest effort into it.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[icrf]

I'm not sure what exactly you're asking, but I'll take a stab at answering anyway.

Ignoring URL and HTML encoding, I'm assuming you're translating links like

[URL unfurl="true"]http://mysite.com/page.html[/URL]

into

[URL unfurl="true"]http://mysite.com/cgi-bin/tracker.pl?url=http://mysite.com/page.html[/URL]

Working off that assumption, you can add a second parameter to your tracker that is an private key hashed version of the actual url. So now your url looks like

[URL unfurl="true"]http://mysite.com/cgi-bin/tracker.pl?url=http://mysite.com/page.html&key=SOME_BASE_64_ENCODED_HASH[/URL]

and your tracker.pl reads the url and key reruns the hash with your private key on the url and checks that it matches the key.

If you want, you could simple encrypt the url with a 2-way encryption and skip the plaintext url altogether. Asymmetric encryption is always much more compute-intensive and generally takes up more space, so unless you're trying to obfuscate the resulting url from the displayed url, I'd go with some symmetric encryption that allows you to specify a private key (meaning something like the builtin DES with perl's crypt() probably isn't good, as the salt used to hash is clear in the cyphertext itself).

Was I close?

________________________________________
Andrew

 

[spyderco]

I did get it working, HTTP_REFERER was just spelled wrong

It's definitely not as secure and stable as I am looking for, but it's better than nothing until a real suitable solution to track in-domain script input.

Thanks for all your help!

 

[duncdude]

ENV{'HTTP_HOST'}


Kind Regards
Duncan

 

[rob51383]

I did get it working, HTTP_REFERER was just spelled wrong

HTTP_REFERER is not a deffinate method because many system settings block this value (Including mine). Try it out on a few systems and you will be re-writing your code in no time!

ICRF's suggestion is the best method and is actually how many other systems work.