[cgiapp] Persistence
Ron Savage
ron at savage.net.au
Wed Feb 6 16:47:25 EST 2008
On Wed, 2008-02-06 at 08:16 +0000, Mark Knoop wrote:
Hi Mark
> >
> > On top of the other responses, I'd add:
> > Your application must keep track of a 'session'. The main ways to do
> > that are:
> >
> > o Add a hidden field to each CGI form, in which you send out to the
> > client the id of their session, so that when the use submits the form
> > you get back their id. This is my preferred alternative
> >
> > o Add the session id to a cookie sent from your code, which you get back
> > later from the client. This is a commonly-used method
> >
> > o Add the session id to the URL. This method has the most problems, and
> > is not recommended.
> >
> > The session id is generated by CGI::Session.
>
> Surely 1 and 3 are the same (except possibly you are talking about a post vs
> get)?
Not really.
> What are the problems with the last option? This is the way I have to
> approach it as I can't rely on the browsers I am dealing with to allow
> cookies. It's worked fine up to now...
Google for XSS - Cross-site scripting attacks, as a starter.
--
Ron Savage
ron at savage.net.au
http://savage.net.au/index.html
More information about the cgiapp
mailing list