franklin_dematto - 2:35 am on Apr 6, 2003 (gmt 0)

Really! Cross-site scripting attacks are widely discussed, but there's been few reports so far of them actually happening. I'd be interested in what the exact evidence you've seen is.

A few alternate solutions:
1) Make the ID's unique per IP address. Of course, you'll have problems with AOL, and with other proxy servers. But there are solutions to this - many proxies transmit a X-Forwarded-For header, and you can treat all subnets as the same IP. You can also monitor the first let's say five requests - if they are from the same IP, assume no proxy is being used, and restrict furthe requests to the same IP.

2) Make the ID's unique to the User-Agent header. Of course, this can be trivially forged as well. But it is one more piece of information that the attacker will need - what is the UA of his victim. (Note that if the attacker can send his victim to a server he controls, he can easily learn this.)

3) How are attackers learning the ID's? Are they predicting them? If so, you need to work on your crypto/PRNG. Are they stealing them through attacks on your user's browsers? If so, depending on the dialogue you have with them, you may want to urge them to patch their browsers. Are they embedding scripts in your site? Then you need to make sure you catch and eliminate them. Also note that Microsoft has introduced the httponly field in cookies, which guards against script-based cookie theft.

If you need clarification on all this, sticky me.

I must add that you should recheck your analysis of your logs. Mass exploitation of XSS is very rare, primarily since it requires the interaction of the legitmate user as well. Is it possible that you have misdiagnosed what you're finding in your logs?

A caveat: You mentioned that you know that your pages are secure since you have been coding so long. The needs of security are related to, but not identical, to the needs of solid programming in general.