On 2008 Jun 4, at 22:30, Paul L wrote:
The server is then very much like a VM or an interpreter of an embedded language, with execution stacks entirely encoded and stored in each HTML page sent to the user and back from the user as an encoded URL or form data. So the server is entirely stateless.
Mmm, if any of that HTML-stored state is sensitive server information, this becomes a problem. (E.g. can I trick your application into thinking I'm an admin and then go starting/stopping processes, changing passwords. etc.?) You need to use extra care if anything sensitive is put where the client can munge it. -- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH