[cgiapp] Persistence

Ron Savage ron at savage.net.au
Wed Feb 6 16:47:25 EST 2008


On Wed, 2008-02-06 at 08:16 +0000, Mark Knoop wrote:

Hi Mark

>  >
> > On top of the other responses, I'd add:
> > Your application must keep track of a 'session'. The main ways to do
> > that are:
> >
> > o Add a hidden field to each CGI form, in which you send out to the
> > client the id of their session, so that when the use submits the form
> > you get back their id. This is my preferred alternative
> >
> > o Add the session id to a cookie sent from your code, which you get back
> > later from the client. This is a commonly-used method
> >
> > o Add the session id to the URL. This method has the most problems, and
> > is not recommended.
> >
> > The session id is generated by CGI::Session.
> 
> Surely 1 and 3 are the same (except possibly you are talking about a post vs 
> get)?

Not really.

> What are the problems with the last option? This is the way I have to 
> approach it as I can't rely on the browsers I am dealing with to allow 
> cookies. It's worked fine up to now... 

Google for XSS - Cross-site scripting attacks, as a starter.
-- 
Ron Savage
ron at savage.net.au
http://savage.net.au/index.html




More information about the cgiapp mailing list