Client-side checking considered stupid

A friend of mine pointed me at a humour/satire piece today. (The link is here for those interested.)

As those of you who promptly looked at where the link goes discovered, it was to a URL ending in .../ViewFeature.cfm?Ref=586. When I looked at this, I got (after bouncing through a redirect) a "please turn on cookies" page. I tried doing so, in a new lynx instance, and found that it bounced through another redirect to the same URL but with &Cookies=yes appended.

So, being a curious sort of mousie, I tried specifying &Cookies=yes directly, without turning cookies on. Surprise surprise, it gave me the content just fine.

While this is obnoxious (in that it wants cookies turned on even though it clearly does not actually need them for anything), my main point today is that it's stupid. It's yet another instance of trusting a Web client to do some checking you want done for you. Perhaps the commonest form this takes is to have Javascript vetting form entries before submission, but this is another example.

In this case, it is perhaps not as stupid as it usually is, because it's not clear that (even from the site's point of view) there's all that much value lost by letting the client do this (though that in turn makes me wonder why bother doing it at all). But, in general, this is a classic Bad Idea. One of the first rules of security is to mistrust everyone: to assume everyone not directly under your control is out to break your system. Assuming that the Web client will do your checks the way you want it to just because you tried to tell it to (in this case, that it won't append &Cookies=yes unless you redirect it to that URL) is a good example of how to not do this.