On Thursday, October 30, 2003, at 08:14 PM, Jimmie Houchin wrote:
>
> To me putting state and such into the URL makes the app/page to user 
> manipulatable. (From memory) When playing with Seaside a few weeks ago 
> and going thru the tutorial, it seemed as if I could go back to the 
> beginning by merely removing the session/state off of the URL.
>
> If I can successfully authenticate the user I prefer to have any of 
> that stuff stored server side and not at the disposal of the the user.
>
> The most I would care to have is a user/session key in the URL.
> The key could be  base64 or base256 or the largest baseWhatever that 
> has URL permissable characters or something which would allow for a 
> very small and brief (few characters) keys and still allow for 
> enormous numbers of users/sessions etc.
>
> If the key in the URL is to an old session, request the user to login 
> (authenticate). If the user wishes to be anonymous set new session key 
> in the URL. This would allow bookmarking to be successful even if a 
> session key is embedded in the URL. Not the best of bookmarks, but 
> users will do such.

This is precisely how Seaside works.  No meaningful state is stored in 
the URL - it's just a key to server side state.