mpeters at plusthree.com
Wed Feb 6 17:16:47 EST 2008
Mark Fuller wrote:
>>>> o Add the session id to the URL. This method has the most problems, and
>>>> is not recommended.
>>> What are the problems with the last option? ...
>> Google for XSS - Cross-site scripting attacks, as a starter.
> I thought the problem with putting the session ID in the URL is that
> the user might copy/paste the URL to others. When they try to use it,
> the app would have no way to know it's not the real user?
While that is a problem (it holds true with any user identifiable information
not just sessions. You need to especially watch what you put into emails since
they will get forwarded) it's not XSS.
XSS is Cross Site Scripting. So you need 2 domains (hence the cross-site) and it
future client-side scripting language). Basically it's problem of people
sessions, etc from the user who sees it. It doesn't matter if the session id is
This is why escaping any data that could potentially come from a user is so
<tmpl_var foo escape=html>
[% foo | html %]
Plus Three, LP
More information about the cgiapp