homepage Welcome to WebmasterWorld Guest from 54.161.175.231
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Script cloaked as CSS file checks for cookies from server side but...
carlos123




msg:669810
 6:50 pm on Sep 18, 2002 (gmt 0)

Hi everyone,

I have managed to figure out a way to have server side scripts transparently figure out if a browser has cookies enabled and am wondering if I could get input on any pitfalls to my approach.

It's a bit involved but here goes...

Under normal circumstances checking to see if a browser has cookies enabled cannot be done from the server side because although a cookie can be set when the user agent first requests a document, server side scripts must wait for the user agent to re-initiate a second HTTP request - before sending the cookie back. At which point a server side script can check to see if the cookie was enabled.

I noticed that stylesheets and graphics files cause a browser to automatically send HTTP requests for these files so...

I put the following in my HTML files...

<link rel="stylesheet" href="/general_stylesheet.css" type="text/css">
<link rel="stylesheet" href="/general.cde" type="text/css">

The /general.cde is not really a CSS file. It is a Perl script that checks to see if a cookie was accepted when it was first set by the script that outputs the HTML page in which the above is found. It also logs info into a custom log file of mine and performs other such background activities.

Along with the above I included the following in my apache httpd.conf file...

AddHandler cgi-script .cgi .pl .cde

which causes apache to execute any files ending in .cde as cgi scripts.

I had to fool the browser into loading my css "script" like it normally does CSS files so that it would be automatically requested.

I also included the following code in my general.cde script to keep this file from being cached by user agents and from returning an Apache status other than a 200 OK.

print "Expires: Thu, 29 Oct 1998 17:00:00 GMT\n";
print qq(Cache-control: no-cache="set-cookie")."\n";
print "Status: 200 OK\n";
print "\n";

Everything seems to be working just fine but I am wondering about the pros and cons of this approach. Will a search engine balk when it loads a suppossed CSS file that is not really a CSS file?

I thought of using Javascript to set and check a cookie on the page but I don't want to force my visitors to use Javascript in view of the security problems it can entail for them.

I also did not want to use a 1 pixel image - making it likewise a script - since I have heard that some SE's are frowning on 1px graphics. Making it bigger in pixels would have made it more apparent and less transparent. Also some surf with graphics off.

All in all my approach seems good but any input would be appreciated.

About the only downside to this that I can see might be the possibility that some older browser's might crash when trying to load and process a CSS file that is not really a CSS file. Also my relative URL used means I have to store a script in my document root instead of the CGI bin which might make it easier for hackers to break into it.

Lastly someone can just copy my HTML file, strip out the link line calling general.cde and defeat this whole mechanism though I doubt that most of my site visitors will not only look at the code and detect something fishy but also go to the trouble to strip out the link line.

Thanks.

Carlos

 

WebGuerrilla




msg:669811
 7:05 pm on Sep 18, 2002 (gmt 0)


I'm not sure about whether or not you might crash older browsers, but you shouldn't have any problems with spiders because they typically don't request or parse style sheets.

andreasfriedrich




msg:669812
 1:11 am on Sep 20, 2002 (gmt 0)

About the only downside to this that I can see might be the possibility that some older browser's might crash when trying to load and process a CSS file that is not really a CSS file.

If you are concerned about this why not have your script return a real CSS file. The browser, in fact nobody, needs to know that the CSS file was created by a script. That is why the href attribute is defined as containing an URI, an resource identifier and not a file identifier.

RFC 2396 defining Uniform Resource Identifiers (URI): Generic Syntax [ietf.org] makes this quite clear:

A resource can be anything that has identity. Familiar examples include an electronic document, an image, a service (e.g., "today's weather report for Los Angeles"), and a collection of other resources. Not all resources are network "retrievable"; e.g., human beings, corporations, and bound books in a library can also be considered resources.

You write:

Under normal circumstances checking to see if a browser has cookies enabled cannot be done from the server side

What´s wrong with

setcookie('test', 'test'); 
header("Location: $PHP_SELF?ct=");
and testing whether you get the cookie back?
carlos123




msg:669813
 2:28 am on Sep 20, 2002 (gmt 0)

Hi Andreas,

Thanks again for your input.

I tried using a "Location..." header (but in Perl) and the cookie was never returned. Perhaps partly because mod_rewrite directives in my .htaccess file took over and intercepted the redirection.

Or maybe not. I am not sure about why not but the cookie was not being returned. So I resorted to piggy backing on the fact that browsers automatically sent a new HTTP request for .CSS files.

Under normal circumstances I am not sure that the "Location" header forces a browser to re-load the page being relocated to and to send back the cookie. At least it didn't for me. I did get it to return a cookie by forcing a Status 301 header to be sent to the browser ahead of the Location header but unfortunately this messed up my mod_rewrites (in the sense that the Location URL started showing up in the browser address bar).

My site relies very heavily on mod_rewrite to "hide" the real names of files and scripts at my site and to redirect here and there internally. Among the more important advantages to this is that I can move my files anywhere I want in my directory structure without invalidating existing URL's.

Anyway things are working very well now.

Thanks again for your input Andreas (and to you too WebGuerilla).

Carlos

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved