Re^5: Perl Sessions and Cookies - Cookie don't get passed

Bad practices, even when using perl, can lead to XSS attacks. This is not the place to debate the "Known and widely accepted solutions." to XSS. There are many resources outside of Perl that deal with this topic. Use the perl modules and you've got a chance at safe code, head off in your own direction and you'll regret it.

My post was aimed at getting the Monk to understand that the question was leading the code in a direction it would be best it didn't. There are not many ways to implement a website hardened against XSS and this limits the scope of any questions related to login, sessions, data handling, and form validation to a less than manageable size. In other words if you're doing web development and your code dealing with one of these areas doesn't just work, you need to fall back into line or your users will be hacked.

Comment on Re^5: Perl Sessions and Cookies - Cookie don't get passed

Replies are listed 'Best First'.
Re^6: Perl Sessions and Cookies - Cookie don't get passed by karlgoethebier (Abbot) on Mar 07, 2015 at 17:06 UTC
Again: What does this thread have to do with XSS attacks? Karl ŤThe Crux of the Biscuit is the Apostropheť	[reply]
Re^7: Perl Sessions and Cookies - Cookie don't get passed by cheako (Beadle) on Mar 07, 2015 at 22:11 UTC
Q: My web site login/logout code needs to delete cookies, how can I do this? A: You don't do login/logout that way, it's not standard practice and what you are trying to do screams XSS attack. Instead of deleting a cookie don't send your anti XSS hidden input. All web forms should have some post/get variable with a secret code that only that user knows. This ensures that forms, without having the correct hidden input value, can't be submitted to the site. The site code can easily determine if the form being filled out originated from the site.	[reply]
Re^8: Perl Sessions and Cookies - Cookie don't get passed by Anonymous Monk on Mar 08, 2015 at 14:01 UTC
anti XSS hidden input I am still confused about this, but I realized maybe it's just a miscommunication - maybe we're talking about a different attack? What's your definition of an XSS attack? If you really do mean a Cross-site scripting attack, I'd love to see an example of how a hidden input prevents it?	[reply]
Re^9: Perl Sessions and Cookies - Cookie don't get passed by cheako (Beadle) on Mar 09, 2015 at 20:05 UTC
Re^10: Perl Sessions and Cookies - Cookie don't get passed by Anonymous Monk on Mar 09, 2015 at 21:11 UTC
Some notes below your chosen depth have not been shown here