To prevent XSS attacks you should have a 'logged in' hidden input. Clear this input to logout, leave the Cookies as they are.
It's been awhile since I've worked with HTTP sessions, but if memory serves you should be putting the last login name into a cookie and the "this user is logged in" data into form fields or a this cookie is logged in untill after on the server.
You definitely should not be using cookies to determine if a user is logged in, that much I remember clearly. You need either server side session or form variables. Place a "good for so long" password hash into an HTML hidden input and you'll do just fine.
| [reply] |
| [reply] |
Bad practices, even when using perl, can lead to XSS attacks. This is not the place to debate the "Known and widely accepted solutions." to XSS. There are many resources outside of Perl that deal with this topic. Use the perl modules and you've got a chance at safe code, head off in your own direction and you'll regret it.
My post was aimed at getting the Monk to understand that the question was leading the code in a direction it would be best it didn't. There are not many ways to implement a website hardened against XSS and this limits the scope of any questions related to login, sessions, data handling, and form validation to a less than manageable size. In other words if you're doing web development and your code dealing with one of these areas doesn't just work, you need to fall back into line or your users will be hacked.
| [reply] |