On Wed, 2008-02-06 at 08:16 +0000, Mark Knoop wrote: Hi Mark
> > > > On top of the other responses, I'd add: > > Your application must keep track of a 'session'. The main ways to do > > that are: > > > > o Add a hidden field to each CGI form, in which you send out to the > > client the id of their session, so that when the use submits the form > > you get back their id. This is my preferred alternative > > > > o Add the session id to a cookie sent from your code, which you get back > > later from the client. This is a commonly-used method > > > > o Add the session id to the URL. This method has the most problems, and > > is not recommended. > > > > The session id is generated by CGI::Session. > > Surely 1 and 3 are the same (except possibly you are talking about a post vs > get)? Not really. > What are the problems with the last option? This is the way I have to > approach it as I can't rely on the browsers I am dealing with to allow > cookies. It's worked fine up to now... Google for XSS - Cross-site scripting attacks, as a starter. -- Ron Savage [EMAIL PROTECTED] http://savage.net.au/index.html ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################