JavaScript considered harmful (was Re: New online index to Beazley's tutorials)

[Chris Gonnerman]

----- Original Message -----
From: "Aahz Maruch" <aahz at panix.com>


> In article <a1ekt4$jv1$1 at serv1.iunet.it>, Alex Martelli <aleax at aleax.it>
wrote:
> >The obvious problem: visitors find it irksome to have to type the
> >username and password on each site-visit in order to get at the
> >nifty customization features.  We need some client-side state to
> >ameliorate this.
>
> Nope.  If security matters, then you don't want client-side state.  If
> security doesn't matter, you can provide a bookmarkable URL with their
> login information.  It's really that simple.  You're certainly not going
> to store all that customizing information in cookies because of the
> multi-machine problem I mentioned earlier.

I'm with Alex here... particularly since you don't store "all that
customizing information" on the client machine.  Generally I store an
apparently random bit of data (the primary key value of the database
record where the primary identification of the user is stored).  Small and
unobtrusive, but it gets the job done.  Lacking a valid value for this
cookie, I force the user to enter username and password.

If "security matters" (it hasn't in any of my cases so far), I would
either not do this (banking information for instance should always require
a login step) or do it only if the user confirms it (like Amazon's one-
click ordering system).