[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposing Section 508 compliance as requirement for 2.x

Ed W wrote:
> Hi
>
>   
>> and to make matters worse, many of the 
>> input forms do a really, really ugly hack where each time a new item is 
>> added, instead of preserving state somewhere it's sent back to the client - 
>> html and all - in a hidden field. This alone makes it nearly impossible to 
>> properly protect against XSS attacks.
>>   
>>     
>
>
> As an aside, whilst I am not saying that it's impossible to do this all 
> with only sessions, I am actually baffled as to how it could be done and 
> need to do something similar in another project.  So if someone can 
> describe how to have multi-window state kept using only sessions then 
> please let me know... (I can't see how to do it without having a 
> session_id in the URL in order to figure out which window is submitting 
> each time??)
>
>   
This is what REST is about--REpresentational State Transfer. All of the
state information is kept in the request, so the server doesn't need to
maintain state for each request. This has the benefits you're looking
for--proper browser history, ability to have different sessions in
different windows of the same browser, etc.

To make this work, each request needs to have all the information
necessary to rebuild the state... and you don't tend to store state on
the server... some sort of hybrid may be more appropriate, especially if
we do more of a transaction model for certain things...

-- 
John Locke
"Open Source Solutions for Small Business Problems"
published by Charles River Media, June 2004
http://www.freelock.com