[cgiapp] Persistence

[Michael Peters]

Ron Savage wrote:

>>> o Add the session id to the URL. This method has the most problems, and
>>> is not recommended.
>>>
>>> The session id is generated by CGI::Session.
>> Surely 1 and 3 are the same (except possibly you are talking about a post vs 
>> get)?
> 
> Not really.
> 
>> What are the problems with the last option? This is the way I have to 
>> approach it as I can't rely on the browsers I am dealing with to allow 
>> cookies. It's worked fine up to now... 
> 
> Google for XSS - Cross-site scripting attacks, as a starter.

Maybe I'm being dense, but XSS is about letting user's embed HTML/JS into other
documents. So you need to protect against nefarious JS folks. How does putting
the session id in the URL cause XSS problems? XSS is all about *escaping* user
entered data when outputting it.

-- 
Michael Peters
Developer
Plus Three, LP