Ron Savage wrote: >>> o Add the session id to the URL. This method has the most problems, and >>> is not recommended. >>> >>> The session id is generated by CGI::Session. >> Surely 1 and 3 are the same (except possibly you are talking about a post vs >> get)? > > Not really. > >> What are the problems with the last option? This is the way I have to >> approach it as I can't rely on the browsers I am dealing with to allow >> cookies. It's worked fine up to now... > > Google for XSS - Cross-site scripting attacks, as a starter.
Maybe I'm being dense, but XSS is about letting user's embed HTML/JS into other documents. So you need to protect against nefarious JS folks. How does putting the session id in the URL cause XSS problems? XSS is all about *escaping* user entered data when outputting it. -- Michael Peters Developer Plus Three, LP ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
