Re: file download security

Have you tried checking the HTTP referer is the page that they should be coming from? It's been a while since I've done CGI so I can't recall the exact name of the variable, but I know it's somewhere in %ENV so if you dump that, or hit the docs, you should find it easily enough.

If this isn't sufficient security, and you're using JS and suchlike already, then maybe some cookie-based system that puts a short-expiration cookie on their machine on the entry page, and then tests it's existance on the download?

Either way if the test fails it's probably a good idea to direct them back to the entry page, but also add a message saying why they're back at the entry page and a 'Contact us with download problems' link just in case something is wrong with your tests. Don't rely on the browser to do the right thing, it never will.

Comment on Re: file download security

Replies are listed 'Best First'.
Re: Re: file download security by Ovid (Cardinal) on Apr 15, 2002 at 15:38 UTC
You may not be aware of this, but the HTTP referer, like the IP address, can be spoofed. Using this as a method of security is a bad idea as it is trivial to build an application (or use pre-made "script kiddie" tools) that fakes this information for you. Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]
Re: Re: file download security by cjf (Parson) on Apr 15, 2002 at 15:33 UTC
It's been a while since I've done CGI so I can't recall the exact name of the variable $ENV{HTTP_REFERER} (note the spelling) will contain the referrer.	[reply]