[cgiapp] Persistence

Michael Peters mpeters at plusthree.com
Wed Feb 6 16:47:17 EST 2008

Ron Savage wrote:

>>> o Add the session id to the URL. This method has the most problems, and
>>> is not recommended.
>>> The session id is generated by CGI::Session.
>> Surely 1 and 3 are the same (except possibly you are talking about a post vs 
>> get)?
> Not really.
>> What are the problems with the last option? This is the way I have to 
>> approach it as I can't rely on the browsers I am dealing with to allow 
>> cookies. It's worked fine up to now... 
> Google for XSS - Cross-site scripting attacks, as a starter.

Maybe I'm being dense, but XSS is about letting user's embed HTML/JS into other
documents. So you need to protect against nefarious JS folks. How does putting
the session id in the URL cause XSS problems? XSS is all about *escaping* user
entered data when outputting it.

Michael Peters
Plus Three, LP

More information about the cgiapp mailing list