xProteuSx Posted November 18, 2007 Share Posted November 18, 2007 I am relatively new to PHP and MySQL and I have started on a major project. I have read many posts on Cross Site Scripting. It seems to me that a lot of people are using Cookies. Although I have a members section only for my site, I have decided to use sessions alone. Seeing that so many people are utilizing cookies, I am starting to doubt my decision. I have read up on both, and I do not see a major benefit of cookies. On the contrary, it seems that CXX is rampant, so it seems like cookies are a bad idea. After all, if a member wants back into the site, its not too much to ask him to login again. So I guess I want to make sure of one thing: if you do not issue cookies, you cannot have CXX security flaws. Am I right? I think so, but I would like confirmation. Thanks. :-\ Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted November 18, 2007 Share Posted November 18, 2007 First of all, Cross Site Scripting is called XSS You can set it to store the session id using a cookie on the client side, in that way you should be able to keep users logged in when they've closed their browser. XSS vulnerabilities are typically where it is possible to inject arbitrary Javascript code (e.g. using a URL or a post form) which enables a user to execute malicious code - this could for example lead to grabbing the session id. See: http://en.wikipedia.org/wiki/Session_fixation and http://en.wikipedia.org/wiki/XSS Quote Link to comment Share on other sites More sharing options...
xProteuSx Posted November 24, 2007 Author Share Posted November 24, 2007 I'm sorry Daniel0: I do appreciate your help, but you have not answered the question. If I do not use cookies, then my users are invulnerable to XSS (thanks for the correction) at the cost of having to log back in every time they close the browser. Is this correct? Is this the only downside to using sessions alone? Thanks in advance. Quote Link to comment Share on other sites More sharing options...
trq Posted November 24, 2007 Share Posted November 24, 2007 If I do not use cookies, then my users are invulnerable to XSS (thanks for the correction) at the cost of having to log back in every time they close the browser. Is this correct? No. XSS vulnerabilities are typically where it is possible to inject arbitrary Javascript code (e.g. using a URL or a post form) which enables a user to execute malicious code While some XSS attacks may relate to people trying to read from cookies they are not meant too, these are not the only attacks around. Quote Link to comment Share on other sites More sharing options...
xProteuSx Posted November 24, 2007 Author Share Posted November 24, 2007 I'm not really at the debugging stage of the script (which includes security testing), and may not be there for a while, but I cannot find a really thorough source on the coding practices that can be implemented to avoid leaving XSS security holes. Anyone know of a brief but good rundown? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.