Looking for suggestions on how to discern the order that a browser sends
the HTTP headers in a get request. For example, I would like to tell if
the USER_AGENT header follows the HST header, or comes before it in the
request.
I'm currently using Apache and perl CGI scripts. I'm aware of the %ENV
variable, but that doesn't seem to discern the order that the headers
were sent :(
-frank p

Frank Posluszny wrote:

Looking for suggestions on how to discern the order that a browser sends
the HTTP headers in a get request. For example, I would like to tell if
the USER_AGENT header follows the HST header, or comes before it in the
request.

Why does it matter?

I'm currently using Apache and perl CGI scripts. I'm aware of the %ENV
variable, but that doesn't seem to discern the order that the headers
were sent :(

I think you might have to write something that operates at a different
level, the simplest way would probably to write a simple HTTP server - it
probably doesn't even need to send a response, just dump the input it gets.

I came across an interesting paper

that talks about identifying browsers even if they fake their User-Agent
strings. I already have a simple perl app that listens on a port, reads
the GET request, and outputs what it received.
I'd like to see if I can incorporate it into a webpage being served on a
regular web server, like Apache.
If there's no way to do it, oh well. Would've been neat if I could.
-Frank P

David Dorward said the following on 2/23/2006 5:57 PM:
Frank Posluszny wrote:
>
>Looking for suggestions on how to discern the order that a browser sends
>the HTTP headers in a get request. For example, I would like to tell if
>the USER_AGENT header follows the HST header, or comes before it in the
>request.
>
Why does it matter?
>
>I'm currently using Apache and perl CGI scripts. I'm aware of the %ENV
>variable, but that doesn't seem to discern the order that the headers
>were sent :(
>
I think you might have to write something that operates at a different
level, the simplest way would probably to write a simple HTTP server - it
probably doesn't even need to send a response, just dump the input it gets.

Frank Posluszny (fsp@mitre.org) wrote:
: I came across an interesting paper
:
: that talks about identifying browsers even if they fake their User-Agent
: strings. I already have a simple perl app that listens on a port, reads
: the GET request, and outputs what it received.
: I'd like to see if I can incorporate it into a webpage being served on a
: regular web server, like Apache.
: If there's no way to do it, oh well. Would've been neat if I could.

A web page could "redirect" (or link or whatever) them to the same host
but on another port, and have your custom server listening on that port.

Your server does what it does and then redirects them back to your main
server.

The data calculated could be included in the redirect url (can you do that
? - I think so) , or stored as part of a session for the browser, in which
case the perl script would have to look for a cookie set earlier and use
that somehow as a session id.

If you send the data as part of the redirect url then use some hard to
guess checksum technique to ensure noone can fake your input.

$0.10

Thu, 23 Feb 2006 14:15:59 CST Frank Posluszny <fsp@mitre.orgwrote:

| Looking for suggestions on how to discern the order that a browser sends
| the HTTP headers in a get request. For example, I would like to tell if
| the USER_AGENT header follows the HST header, or comes before it in the
| request.
|
| I'm currently using Apache and perl CGI scripts. I'm aware of the %ENV
| variable, but that doesn't seem to discern the order that the headers
| were sent :(

There's no reason to discern the order since the headers are effectively a
name indexed collection. Normal applications should not be concerned with
the order of the headers.

Fri, 24 Feb 2006 08:36:30 CST Frank Posluszny <fsp@mitre.orgwrote:

| I came across an interesting paper
|
| that talks about identifying browsers even if they fake their User-Agent
| strings. I already have a simple perl app that listens on a port, reads
| the GET request, and outputs what it received.
| I'd like to see if I can incorporate it into a webpage being served on a
| regular web server, like Apache.
| If there's no way to do it, oh well. Would've been neat if I could.

Sounds like a job for a new Apache module. Enjoy programming inside Apache.

In the mean time, I'm thinking about whether I should make my proxy server
randomize the order of headers, or just sort them sans User-Agent.

Yeah, it's nice to know for statistical purpose just how many of what type
of browser are in use. But too damn many web developers are using that info
to decide what to output. Please don't give them more tools to do bad thins.