Sessions and CXX

[xProteuSx]

I am relatively new to PHP and MySQL and I have started on a major project.  I have read many posts on Cross Site Scripting.  It seems to me that a lot of people are using Cookies.  Although I have a members section only for my site, I have decided to use sessions alone.  Seeing that so many people are utilizing cookies, I am starting to doubt my decision.  I have read up on both, and I do not see a major benefit of cookies.  On the contrary, it seems that CXX is rampant, so it seems like cookies are a bad idea.  After all, if a member wants back into the site, its not too much to ask him to login again.

 

So I guess I want to make sure of one thing:  if you do not issue cookies, you cannot have CXX security flaws.  Am I right?  I think so, but I would like confirmation.

 

Thanks. :-\

[Daniel0]

First of all, Cross Site Scripting is called XSS

 

You can set it to store the session id using a cookie on the client side, in that way you should be able to keep users logged in when they've closed their browser. XSS vulnerabilities are typically where it is possible to inject arbitrary Javascript code (e.g. using a URL or a post form) which enables a user to execute malicious code - this could for example lead to grabbing the session id. See: http://en.wikipedia.org/wiki/Session_fixation and http://en.wikipedia.org/wiki/XSS

[xProteuSx]

I'm sorry Daniel0:  I do appreciate your help, but you have not answered the question.  If I do not use cookies, then my users are invulnerable to XSS (thanks for the correction) at the cost of having to log back in every time they close the browser.  Is this correct?  Is this the only downside to using sessions alone?  Thanks in advance.

[trq]

If I do not use cookies, then my users are invulnerable to XSS (thanks for the correction) at the cost of having to log back in every time they close the browser.  Is this correct?

 

No.

 

XSS vulnerabilities are typically where it is possible to inject arbitrary Javascript code (e.g. using a URL or a post form) which enables a user to execute malicious code

 

While some XSS attacks may relate to people trying to read from cookies they are not meant too, these are not the only attacks around.

[xProteuSx]

I'm not really at the debugging stage of the script (which includes security testing), and may not be there for a while, but I cannot find a really thorough source on the coding practices that can be implemented to avoid leaving XSS security holes.  Anyone know of a brief but good rundown?