HttpView overhaul was: Re: Exploring Zope and
avi at beta4.com
Fri Oct 31 04:36:57 UTC 2003
On Thursday, October 30, 2003, at 08:14 PM, Jimmie Houchin wrote:
> To me putting state and such into the URL makes the app/page to user
> manipulatable. (From memory) When playing with Seaside a few weeks ago
> and going thru the tutorial, it seemed as if I could go back to the
> beginning by merely removing the session/state off of the URL.
> If I can successfully authenticate the user I prefer to have any of
> that stuff stored server side and not at the disposal of the the user.
> The most I would care to have is a user/session key in the URL.
> The key could be base64 or base256 or the largest baseWhatever that
> has URL permissable characters or something which would allow for a
> very small and brief (few characters) keys and still allow for
> enormous numbers of users/sessions etc.
> If the key in the URL is to an old session, request the user to login
> (authenticate). If the user wishes to be anonymous set new session key
> in the URL. This would allow bookmarking to be successful even if a
> session key is embedded in the URL. Not the best of bookmarks, but
> users will do such.
This is precisely how Seaside works. No meaningful state is stored in
the URL - it's just a key to server side state.
More information about the Squeak-dev