Jump to content

Recommended Posts

I am relatively new to PHP and MySQL and I have started on a major project.  I have read many posts on Cross Site Scripting.  It seems to me that a lot of people are using Cookies.  Although I have a members section only for my site, I have decided to use sessions alone.  Seeing that so many people are utilizing cookies, I am starting to doubt my decision.  I have read up on both, and I do not see a major benefit of cookies.  On the contrary, it seems that CXX is rampant, so it seems like cookies are a bad idea.  After all, if a member wants back into the site, its not too much to ask him to login again.

 

So I guess I want to make sure of one thing:  if you do not issue cookies, you cannot have CXX security flaws.  Am I right?  I think so, but I would like confirmation.

 

Thanks. :-\

Link to comment
https://forums.phpfreaks.com/topic/77810-sessions-and-cxx/
Share on other sites

First of all, Cross Site Scripting is called XSS ;)

 

You can set it to store the session id using a cookie on the client side, in that way you should be able to keep users logged in when they've closed their browser. XSS vulnerabilities are typically where it is possible to inject arbitrary Javascript code (e.g. using a URL or a post form) which enables a user to execute malicious code - this could for example lead to grabbing the session id. See: http://en.wikipedia.org/wiki/Session_fixation and http://en.wikipedia.org/wiki/XSS

Link to comment
https://forums.phpfreaks.com/topic/77810-sessions-and-cxx/#findComment-393818
Share on other sites

I'm sorry Daniel0:  I do appreciate your help, but you have not answered the question.  If I do not use cookies, then my users are invulnerable to XSS (thanks for the correction) at the cost of having to log back in every time they close the browser.  Is this correct?  Is this the only downside to using sessions alone?  Thanks in advance.

Link to comment
https://forums.phpfreaks.com/topic/77810-sessions-and-cxx/#findComment-397895
Share on other sites

If I do not use cookies, then my users are invulnerable to XSS (thanks for the correction) at the cost of having to log back in every time they close the browser.  Is this correct?

 

No.

 

XSS vulnerabilities are typically where it is possible to inject arbitrary Javascript code (e.g. using a URL or a post form) which enables a user to execute malicious code

 

While some XSS attacks may relate to people trying to read from cookies they are not meant too, these are not the only attacks around.

Link to comment
https://forums.phpfreaks.com/topic/77810-sessions-and-cxx/#findComment-397911
Share on other sites

I'm not really at the debugging stage of the script (which includes security testing), and may not be there for a while, but I cannot find a really thorough source on the coding practices that can be implemented to avoid leaving XSS security holes.  Anyone know of a brief but good rundown?

Link to comment
https://forums.phpfreaks.com/topic/77810-sessions-and-cxx/#findComment-397977
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.