JavaScript considered harmful (was Re: New online index to Beazley's tutorials)
Chris Gonnerman
chris.gonnerman at newcenturycomputers.net
Tue Jan 8 08:38:46 EST 2002
----- Original Message -----
From: "Aahz Maruch" <aahz at panix.com>
> In article <mailman.1010494751.14448.python-list at python.org>,
> Chris Gonnerman <chris.gonnerman at newcenturycomputers.net> wrote:
> >I'm with Alex here... particularly since you don't store "all that
> >customizing information" on the client machine. Generally I store an
> >apparently random bit of data (the primary key value of the database
> >record where the primary identification of the user is stored). Small
> >and unobtrusive, but it gets the job done. Lacking a valid value for
> >this cookie, I force the user to enter username and password.
>
> So how do you handle it when users don't permit cookies? You refuse to
> let them have customized pages? You still need a session ID in the URL.
> Why not just give them a bookmarkable page?
Well, you're forcing an admission of sorts... I found cookies too
limiting in the last such project I worked on and I used basically
what you suggest.
Still, I feel that calling cookies "evil" (not your words I don't
think, but your intention as I understand it) seems extreme to me.
Another poster (lost his name, sorry) complained about all the
statistical information which can be compiled using them. What
about the 1-pixel-camera trick? Turning off cookies isn't going to
affect that.
For anyone who doesn't know this one, the 1-pixel-camera is a 1x1 gif
(or similar unobtrusive image) which is referenced on web pages where
your presence is being tracked. The 1x1 gif file is typically on a
different server than the one you are actually visiting. Originally
this trick was used (and still is I assume) with cookies, but by
using a dynamic filename and a cgi script to "generate" the gif the
same tracking can be done without cookies.
For instance,
<img src="http://bad.guys.net/cgi-bin/1pixel.gif?id=71384234">
The bad.guys.net have paid the site you are visiting to host their ads,
and then included the above in an IFRAME/OBJECT-type space.
I've seen this myself. (Can't remember where but I was not impressed).
In either the cookie or the magic-number form, you can prevent such
tracking only by limiting your access to "bad.guys.net" (not a real
address) etc. My local proxy has hosts entries for the main offenders
as I have recognized them. Probably there are many I don't know
about...
Hmmm... probably could do the above with "regular" graphic ad banners
too... Truly evil.
I debated explaining this here, but "security through obscurity"
naturally doesn't work. The bad guys already know these tricks.
More information about the Python-list
mailing list