Hi! > In proposal 2 (see above) the use-data _and_ the structure is > transferred to the client, so by changing the structure, the (hacking) > user can try to recreate and set any properties on any bean on the > server, if no encryption is used. > Regardless of the solution we use, we should abstract the creation of the url so one can replace it with its own implementation.
I see three types of them: *) plain - pass through (so hackable) *) encryption (leads to become too large for a GET) *) leases - I have done this in one of my projects. The user is able to bookmark a page but only gets a lease-ID. The server stores the correct url for this lease (something like tinyurl) - not hackable, repeatable, and no size limit - we just need a parameter to let a lease die if not used for a couple of month --- Mario
