A friend of mine pointed me at a humour/satire piece today. (The link is here for those interested.)
As those of you who promptly looked at where the link goes
discovered, it was to a URL ending in
.../ViewFeature.cfm?Ref=586. When I looked at this, I got
(after bouncing through a redirect) a "please turn on
cookies" page. I tried doing so, in a new lynx instance, and
found that it bounced through another redirect to the same URL but with
&Cookies=yes appended.
So, being a curious sort of mousie, I tried specifying
&Cookies=yes directly, without turning cookies
on. Surprise surprise, it gave me the content just fine.
While this is obnoxious (in that it wants cookies turned on even though it clearly does not actually need them for anything), my main point today is that it's stupid. It's yet another instance of trusting a Web client to do some checking you want done for you. Perhaps the commonest form this takes is to have Javascript vetting form entries before submission, but this is another example.
In this case, it is perhaps not as stupid as it usually is, because
it's not clear that (even from the site's point of view) there's all
that much value lost by letting the client do this (though that in turn
makes me wonder why bother doing it at all). But, in general, this is
a classic Bad Idea. One of the first rules of security is to mistrust
everyone: to assume everyone not directly under your control is out to
break your system. Assuming that the Web client will do your checks
the way you want it to just because you tried to tell it to (in this
case, that it won't append &Cookies=yes unless you
redirect it to that URL) is a good example of how to not do
this.