Although it is simply adding another layer to your existing Security by Obscurity (and therefore not the entire solution to your problem), you might at least consider accepting only POST-type requests in your script. That is, instead of accessing the script by this hyperlink URL:

you use a form with all hidden fields and a button (which may be a bitmap):

<FORM METHOD=POST>
<INPUT TYPE=HIDDEN NAME='user' VALUE='foolish'>
<INPUT TYPE=HIDDEN NAME='id' VALUE='2'>
<!-- use THIS: -->
<INPUT TYPE=SUBMIT VALUE='Button Title'>
<!-- OR THIS: -->
<INPUT TYPE=IMAGE SRC='/images/button_img.jpg' onClick='submit()'>
</FORM>
[download]

Update: This won't prevent users from seeing what parameters your script takes (and their values), but rejecting GET requests will at least make it harder to fake them.

dmm

POSTs are still quite easy to fake. True, you can't simply edit the URL in the browser address bar, but all you have to do is save the HTML page, edit the value of the hidden field, view the resulting page locally, and hit Submit.

Further authentication is really a necessity in a scenario like this.

This is true. I did not intend to suggest that this (and this alone) was a solution to the problem, but it makes it that much more difficult to accomplish (weeding out the "casual" spoofers, as it were). I agree that other security measures are also necessary; for instance, also incorporating HTTP_REFERRER checks and using session cookies, etc.

#/usr/bin/perl

use CGI qw(:standard);
use strict;

my $q=new CGI;

# Check values from the query string
unless ($q->param('user') eq 'foolish' && $q->param('id') eq '2') {
     print $q->header, $q->start_html(-title=>'Page not found');
     print h2("This page was not found"), $q->end_html;

     exit;
    }
    
 # Real page code follows
[download]

That, of course, won't work if (as appears to be the case) 'user' and 'id' are in fact variables specific to each user.

You are right. A more complicated scheme would be required for multiple user-id passwords. One method could be to store these user-id pairs in advance in a hash data file, say ../data/user_id, then check the incoming user-id pair against values in the existing hash. For example:



#/usr/bin/perl

use CGI qw(:standard);
use GDBM_File;

use strict;

my $q=new CGI;

#  Assume an existing saved hash %user_id with 'user' as the key and '
+id' as the value
#  created earlier by $user_id{"$user"} = $id and stored in ../data/us
+er_id

my $verify = "../data/user_id";
tie %user_id, 'GDBM_File', $verify, O_RDWR, 0666 or die "Can't tie $ve
+rify:$!";

my $user = $q->param('user');
my $id = $q->param('id');

# Check values from the query string against values in hash
unless (exists $user_id{"$user"} && $user_id{"$user"} = $id) {

     print $q->header, $q->start_html(-title=>'Page not found');
     print h2("This page was not found"), $q->end_html;

      exit;
    }
  
  untie %user_id;  
    
 # Real page code follows
[download]

By now one has other worries, like being sure the hash is locked while a tie is taking place, about how to update and delete values from the hash, about passing a name-password without security, etc.

Better advice might be to learn about SSL and OS/Web Server authentication for the particular target platform.