Re: HTTP_USER_AGENT

Mon, 03 Apr 2000 10:02:09 -0700 


So the moral of the story is, don't ever trust the client for anything
important.

> I still think that's missing an important point:
>
> YOU CAN'T HAVE a canonical listing of HTTP_USER_AGENT values, because NO
> SUCH ANIMAL exists :)  All HTTP_USER_AGENT is is a string supplied by the
> client, and as long as the client follows the spec for what the string is
> supposed to look like [ Client/Version (param; param; ... param) ] then it
> is a valid response.  I've written client scripts before that supplied
> values like "HungrySalmon/1.0" for HTTP_USER_AGENT.  Nor can you trust it:
> it's a simple matter of editing one string table inside Netscape to change
> it (even easier than replacing the "traveling N"; IIRC, Netscape's
> "customization" kit for corp. clients even supports it directly), and if
> the agent is a client script, it's even easier to spoof (Exercise for the
> reader: write an HTTP client script using LWP that reports its user agent
> as "Navigator/3.04"; no, I don't want to see it when you're done -- I
> didn't collect homework when I did teach, I'm not going to start now *g*)
> in your own widgets.
>
> At one point I was involved with a project to collect the HTTP_USER_AGENT
> strings reported by spiders, and associating them with the search engine
> they belonged to, so that the "most appropriate" set of meta-information
> for that particular search engine could be returned... and it wasn't that
> long of a list.  So you can get probably 99% of the information you want
> fairly easily, but I still wouldn't trust it.
>
> Incidentally, if you either use the (deprecated) Agent_Log directive or
> used the "combined" logfile format, you can extract a list of
> HTTP_USER_AGENT strings from your own server logs :)  And now, you know
> not to be alarmed when you find your site being visited by someone using
> "FlailingJellyfish/5.7" :)



--
 Jason Murphy
 System Administrator
 Lawinfo.com
 1-800-397-3743 ex: 133

>
> ************************************************************
> Jeff D. "Spud (Zeppelin)" Almeida
> Windsor, CT
> [EMAIL PROTECTED]
>
>

Reply via email to