Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site, such as an ATG-based site. In order to protect forms from cross-site attacks, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly-generated long number. On submission of a form or activation of a property-setting dsp:a tag, the request-handling pipeline validates _dynSessConf against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request; and the request-handling pipeline skips validation of this request’s session confirmation number. You can also set session confirmation globally; for more information, refer to Appendix F: Servlets in a Request Handling Pipeline, in the ATG Platform Programming Guide.