mpeters at plusthree.com
Wed Feb 6 16:47:17 EST 2008
Ron Savage wrote:
>>> o Add the session id to the URL. This method has the most problems, and
>>> is not recommended.
>>> The session id is generated by CGI::Session.
>> Surely 1 and 3 are the same (except possibly you are talking about a post vs
> Not really.
>> What are the problems with the last option? This is the way I have to
>> approach it as I can't rely on the browsers I am dealing with to allow
>> cookies. It's worked fine up to now...
> Google for XSS - Cross-site scripting attacks, as a starter.
Maybe I'm being dense, but XSS is about letting user's embed HTML/JS into other
documents. So you need to protect against nefarious JS folks. How does putting
the session id in the URL cause XSS problems? XSS is all about *escaping* user
entered data when outputting it.
Plus Three, LP
More information about the cgiapp