~ WTV SECURITY INDEX ~

Blocking Abusive WebTV Users with Home-Baked Cookies 

INTENDED USE: This document outlines a way to block an individual, abusive WebTV user from accessing your site, as well as a way to report specific abusers to WebTV Networks, Inc. This document is to be distributed only to individuals with whom WebTV Networks has an ongoing relationship. Under no circumstances should this document become generally available to the public, or made available without supervision of WebTV Networks. 

BACKGROUND: Like any other Internet users, WebTV users occasionally act abusive on Web sites, and Webmasters may wish to ban them from re-entry. The most common method of doing this, IP blocking, is not an appropriate way of dealing with the problem. WebTV Networks' use of proxies means that thousands of users may share the same IP at any given time. In addition, the ease with which WebTV users can create new users rules out user-specific cookies as a possible solution. 
Proposal: By using a WebTV-specific technology called "Home-Baked Cookies," sites can effectively block a single WebTV subscriber, no matter how many different users that subscriber creates. When reported to WebTV Networks, the value attribute of these cookies enables a rapid identification of abusive users. 

TECHNOLOGY: A "Home-Baked Cookie" is set and retrieved like any other type of HTTP cookie. The key difference is that the cookie name has a prefix of "WTV-HomeBakedCookie". The initial cookie value is irrelevant. 

Once a cookie with the WTV-HomeBakedCookie prefix is written to a WebTV system, the WebTV Networks' servers overwrite the original value of that cookie with an encrypted tracking number. Any user created on that WebTV system will receive the same encrypted tracking number when a WTV-HomeBakedCookie is issued. This makes it possible to block not only one user, but all users from an individual WebTV system. 

ADDITIONAL CONSIDERATIONS: Although not outlined here, Webmasters will need a way to associate abusive users with the value in their Home-Baked Cookies. An advanced chat site may wish to log the names of chatters with the contents of the cookie, while an anonymous message board may just log the contents of the cookie with the content of user posts. Lastly, abusive users should be reported to abuse@corp.webtv.net for investigation. 

IMPLEMENTATION NOTES: The implementation outlined below is simply one of many possibilities. If you decide to use these cookies on your site, your implementation will probably be quite different. View the example below only as an introduction to the technology. 

There are four parts to this system. 

A "Terms of Service/Login" page. This page details the guidelines of the site and sends all WebTV users to the "checker.cgi" script. 

A "checker.cgi" script will verify visitors are not currently banned from the site, and assign them session cookies that they will need to enter. "banned.txt," a list of blocked users created by the Webmaster. 

A small chunk of JavaScript that, when placed on any page within the site, will block access from unqualified users. To understand how the system works, let's look at the experience of a WebTV user who lands on the "Terms Of Service" page. 

The Terms of Service page has a form with a button labeled "I agree." Clicking on this button sends a WebTV user to "checker.cgi." Note that WebTV users cannot manually disable JavaScript in their browsers. 

 
 

<script>
function checkWTV() 
{ 
if (navigator.appName.indexOf("WebTV") != -1)
document.location = "checker.cgi"; 
} 
</script>
<form> 
<input type=submit onClick="checkWTV()" value="I agree">
</form> 


By attempting to log on to the site, the WebTV user must first pass through the "checker.cgi" script. The first thing the script does is to give a Home-Baked Cookie to users who do not already have one. 

use CGI;

 
 

$query = new CGI; 
$theirCookieID = $query->cookie('WTV-HomeBakedCookie-ID'); if ($theirCookieID eq "") 
{ 
print("Location: giveHBC.cgi\n\n"); 
} 
The "giveHBC.cgi" script simply gives the user a cookie and sends him back to "checker.cgi." 
#!/usr/local/bin/perl
print "Content-type: text/html\n"; 
print "Set-cookie: WTV-HomeBakedCookie-ID=nonesuch; expires=Tuesday, 30-Apr-2002 12:00:00 GMT\n"; 
print "Location: http://your_domain_here/checker.cgi\n\n"; 


If you are not familiar with CGI.pm, or the library is not installed on your server, you can find full documentation and installation instructions at: 
http://stein.cshl.org/WWW/software/CGI/cgi_docs.html 

At this point in the script, the user must have a cookie, so we'll see if its value is in our list of banned users. 
 
 
open (BANNED, "banned.txt");
while 
(<BANNED>) 
{ 
if($_ =~ $theirCookieID) 
{ 
close BANNED;
print "Content-type: text/html\n";
print "Set-cookie: goodguy=nope\n"; 
print("Location: http://your_domain/banned/\n\n"); exit; 
}
} 
close BANNED; 



If the user appears in this list, he's given a "goodguy=nope" session cookie, and sent to a page telling him he's been banned from the site. 
The list of banned users is just a text file, with the cookie value of each banned user on separate lines. 

6853e467c52a2362205217a2ee42100f
fa8511416931aa61496e56972ed10078
b1e4bd8348fcaa2ff25cc44396823d18
9f5d3a91239fb1a0beb4a9daf00a449f 

If you are comfortable with the code, you may prefer to store this list directly in an array, or in a database file tied to the script. If the user's ID does not show up in the "banned" file, he is given a "goodguy=yup" session cookie and allowed to enter the site. 

print "Content-type: text/html\n";
print "Set-cookie: goodguy=yup\n"; 
print "Location: http://your_domain/welcome/\n\n"; 

But what if the user goes directly to a page within the site rather than going to the logon page first? Insert the following JavaScript into  of any page you wish to protect from banned chatters: 
 
 

<script> //Bill Dortch's cookie code
function getCookie(name){
var cname = name + "=";
var dc = document.cookie;
if (dc.length > 0) {
begin = dc.indexOf(cname);
if (begin != -1) {
begin += cname.length;
end = dc.indexOf(";", begin);
if (end == -1) end = dc.length; 
return unescape(dc.substring(begin, end)); 
}
} 
return null; 
} 
</script> 


Then, be sure to insert this small chunk somewhere in the  of the document: 

 
 

<script> 
if (navigator.appName.indexOf("WebTV") != -1) 
{ 
if(getCookie("goodguy") == null) 
document.location = "termsOfService.html"; if(getCookie("goodguy") == "nope") 
document.location="banned.html"; 
} 
</script> 



This will bar entry from any user who does not have a "goodguy=yup" session cookie. Anyone without this session cookie will be re-directed to the Terms of Service page. Since WebTV users cannot manually disable the JavaScript engine in their browsers, this is an effective, but not infallible, way of blocking banned users from your site. 

ATTATCHMENT 1 - HTML for "Terms of Service" page. 
 
 

<html> 
<head> 
<META HTTP-EQUIV="Expires" CONTENT="Thu, 01 Dec 1994 16:00:00 GMT"> <script><!-- 
function checkWTV() 
{ 
if (navigator.appName.indexOf("WebTV") != -1)
document.location = "checker.cgi"; 
}
//--> 
</script>
</head>
<body>
<h1>Welcome to our chat page!</h1> 
Please read our rules before continuing: <ul> 
<li>No spitting in the pool.
<li>No pulling your sister's hair.
<li>No jokes about the President!
</ul> 
If you accept these terms of service, please click the "I Accept" button below. 
<br>
<br> 
<form action="http://someForm.cgi" method="post"> <input type=submit onClick="checkWTV()" value="I accept!" > </form> 
</body>
</html> 
Attachment 2 - Perl code for CGI script
#!/usr/local/bin/perl
use CGI;
$query = new CGI; 
$theirCookieID = $query->cookie('WTV-HomeBakedCookie-ID'); if ($theirCookieID eq "") 
{ 
print("Location: giveHBC.cgi\n\n"); 
} 
open (BANNED, "banned.txt");
while (<BANNED>) 
{ 
if($_ =~ $theirCookieID) 
{ 
close BANNED;
print "Content-type: text/html\n";
print "Set-cookie: goodguy=nope\n"; 
print"Location: http://www.albion.com/netiquette/\n\n"; 
}
} 
print "Content-type: text/html\n";
print "Set-cookie: goodguy=yup\n";
print("Location: http://www.\n\n");