Women in Technology

Hear us Roar

  The PHP Scalability Myth
Subject:   Hidden variables for session state?
Date:   2003-10-17 11:39:41
From:   anonymous2
"Transient user interface information is stored in hidden variables on the web page."

Are you out of your mind? In "J2EE Core Patterns" they mention this architecture in passing as an example of how *not* to do it. It's insecure because a user can put any damn thing they want in those hidden variables. There are also bandwidth issues unless you keep that state very, very small, which is possible for simple Web apps but not for highly interactive sites.

If you require the ability to failover the presentation tier without losing active sessions, Weblogic supports HTTP session state replication via RMI: if the servlet changes the session, Weblogic will use RMI to send the change to the standby server, so that if one node in your presentation tier fails another can take its place starting with the session state just as the original node left it. The user doesn't need to know anything has happened.

Main Topics Oldest First

Showing messages 1 through 2 of 2.

  • Hidden variables for session state?
    2003-10-18 01:53:17  anonymous2 [View]

    No - if you read again: hidden variables for View state, not Session state.

    Put simply how to preserve the state of a complex form, while dealing with validation, perhaps a form of multiple pages (e.g. flight booking).

    >>> The hidden fields are used prior to validation. <<<

    If you're keeping this information in memory or some kind of session store between requests, you're doing things badly wrong and will end up with a) alot of junk in memory for users that didnt come back and b) a whole load of extra processing as you have to re-validate the data on every request until the form is finally complete and c) a whole load of extra complexity in your code to deal with.

    Jeez - this is basic stuff that people learnt with CGI ten years ago.
  • Hidden variables for session state?
    2003-10-17 12:09:23  anonymous2 [View]

    My dear person..... To keep the user from inserting "anyting" they want one only needs to restrict hidden fields to a know set of responses AND restrict their use to the $_POST['<variable_name>'] usage type. These two things coupled make for a situation that is quite annoying to those who would "put anything they want" in the hidden field value. Have a nice day.