I don't believe the googlebot can be stopped by Javascript, and nevertheless it's probably never a really good idea to prevent access to admin pages with JS only as disabling Javascript is relatively easy.
Using cflocation would probably take care of it, though, and effectively redirects the user (or bot) to the appropriate page. Francois Levesque http://blog.critical-web.com/ On Thu, Feb 19, 2009 at 3:09 PM, Les Mizzell <[email protected]> wrote: > > This happened on a small site with a user admin system that's password > protected. Seems Googlebot managed to get into the admin system last > night, started crawling admin pages, and ended up munging half the > database: > > 1. Clicking "archive" or "mark inactive" buttons on admin area > index pages > 2. In a few cases, actually seemed to SUBMIT a form, updating data. > > I'm still scratching my head over how Googlebot got into the admin > system to start with. It looks legit from the logs. The IP address, > user-agent and everything else checks out. > > Luckily, this isn't a mission-critical site, and database backups are > done nightly, but now it's got me worried for other sites. Googlebot has > *never* caused any problems with password protected admin systems > before, my "robots.txt" file usually excludes the admin folder (and you > can be sure I'm checking the ones I'm not sure about right now) and the > login stuff I use I thought was pretty standard. > > My login code is below. Tell me I'm a complete idiot. > > So, > > 1. Anybody else have this problem recently? > 2. I'm an idiot I guess, how *should* I be doing my login systems? > (One site on CF8, others still CF7) > 4. If you're doing anything like I am, then maybe we're *all* idiots at > this point and need to redo our login pages to use whatever somebody > much smarter than I says to do in #2 above. > > --------------------------------------------- > Application.cfm page for the admin folder: > --------------------------------------------- > > <!--- Define that this user is logged out by default ---> > <CFPARAM NAME="session.allowin" DEFAULT="false"> > > <!--- Define this user id to zero by default ---> > <CFPARAM NAME="session.user_id" DEFAULT="0"> > > <!--- If the variable "session.allowin" does not equal true, send user > to the login page ---> > > <cfif session.allowin neq "true"> > <cfif ListLast(CGI.SCRIPT_NAME, "/") EQ "../admin_login.cfm"> > <cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm"> > <cfelse> > <!--- Not logged in, alert user and redirect ---> > <script> > <!---alert("You must login to access this area!");---> > self.location="../admin_login.cfm"; > </script> > </cfif> > </cfif> > > --------------------------------------------- > login_process page: > --------------------------------------------- > **QUERY TO CHECK USER/PASS HERE > > <cfif Verify.RecordCount> > <!--- logged in ... set the value of the session.allowin value ---> > <cfset session.allowin = "True" /> > <cfset session.user_id = Verify.id /> > <script> > self.location="idx_admin.cfm"; > </script> > <cfelse> > <!--- not logged in, redirect to the login page ---> > <script> > alert("Your credentials could not be verified, please try > again!!!"); > self.location="../admin_login.cfm"; > </script> > </cfif> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319542 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
