Re: Javascript - just say no(t required)
> "Les" == Les Mikesell <[EMAIL PROTECTED]> writes: Les> I think it is also very reasonable to store user-selected preferences Les> in cookies, especially for things likes sizes, colors, fonts for Les> certain pages. Why should the server side have to store millions Les> of things like that? Even if it does, the choices may be different Les> for the same user running a different browser. Normally you Les> would have some default that would work for the cookie-challenged Les> folks anyway. Please remember that the cookie space is spec'ed to be limited. So your cookie may get pushed out for others. So there'd better be a way to trivially reload all that stuff, or your customers will be angry. Might as well be nice, store the info server side, and treat it like a login. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Javascript - just say no(t required)
- Original Message - From: "dreamwvr" <[EMAIL PROTECTED]> To: "Randal L. Schwartz" <[EMAIL PROTECTED]> Cc: "Gunther Birznieks" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, January 05, 2001 12:00 PM Subject: Re: Javascript - just say no(t required) > hi, >Seems to me the only reasonable usage for cookies that does not > seem to be abuse.org is as a temporary ticket granting system.. so > the next time you want to get a byte you need a ticket to goto the > smorg.. I think it is also very reasonable to store user-selected preferences in cookies, especially for things likes sizes, colors, fonts for certain pages. Why should the server side have to store millions of things like that? Even if it does, the choices may be different for the same user running a different browser. Normally you would have some default that would work for the cookie-challenged folks anyway. Les Mikesell [EMAIL PROTECTED]
Re: Javascript - just say no(t required)
hi, Seems to me the only reasonable usage for cookies that does not seem to be abuse.org is as a temporary ticket granting system.. so the next time you want to get a byte you need a ticket to goto the smorg.. Best Regards - [EMAIL PROTECTED]
Re: Javascript - just say no(t required)
> "Gunther" == Gunther Birznieks <[EMAIL PROTECTED]> writes: Gunther> There's a lot of similar FUD about using cookies (not accepted on Gunther> PDAs, people scared of them, etc). Personally, I don't like to program Gunther> using cookies and I have my browser explicitly warn me of the cookie Gunther> before accepting (which does slow down my browsing experience but is Gunther> most interesting),, but the reality is that shedloads of sites use Gunther> them to enhance the user experience but don't make it a problem if Gunther> they don't go and use them. I'm fine with requiring and using cookies for short-term session management, but for long term authentication, they presume "one user == one browser", and that's patently false. If you must use them for long term identification, make it very clear that I'm "logged in", and give me a quick way to "log out", and let me "log in" from a different browser, and automatically "log me out" after 4 hours or so in case I forget. :) And don't do that merely by browser cookie expiration... make the server distrust any cookie after that time, which means you have to generate a unique cookie on each login. Gunther> Speaking of which, I guess the non-use of Cookies and Gunther> JavaScript would make a great NY Resolution... What does New York have to do with it? :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Javascript - just say no(t required)
Yeah, but in the real world regardless of the FUD about firewalls and the like... The feedback that I have had from people using this technique is that the apps that have had this code implemented experience dramatic reduction in double postings to the point where they no longer exist. And the code I posted is not making the basic application unavailable. It just allows double-postings if javascript is not enabled which in practice isn't that much when you consider the intersection of people who double click and the people likely to have JS disabled. For a heavily used site, I would recommend ultimately a better server-side solution because the amount of time to develop and maintain a server side solution is "worth it", but it's not as easy and quick to fix an app in this respect as it is to add a quickie javascript fix for the short-term or for an app that it's not worth spending more time on. There's a lot of similar FUD about using cookies (not accepted on PDAs, people scared of them, etc). Personally, I don't like to program using cookies and I have my browser explicitly warn me of the cookie before accepting (which does slow down my browsing experience but is most interesting),, but the reality is that shedloads of sites use them to enhance the user experience but don't make it a problem if they don't go and use them. Anyway, whatever. Happy New Year! :) Speaking of which, I guess the non-use of Cookies and JavaScript would make a great NY Resolution... At 06:00 PM 1/4/2001 -0800, Randal L. Schwartz wrote: > >>>>> "Gunther" == Gunther Birznieks <[EMAIL PROTECTED]> writes: > >Gunther> But I've also seen a lot of people use javascript to accomplish the >Gunther> same thing as a quick fix. Few browsers don't support javascript. Of >Gunther> the small amount that don't, the venn diagram merge of browsers that >Gunther> don't do javascript and users with an itchy trigger finger is very >Gunther> small. The advantage is that it's faster than mungling your own >Gunther> server-side code with extra logic to prevent double posting. > >My browser "supports" Javascript, but has it turned off whenever I'm going >to an unknown web page. > >Presuming that the CERT notices are being posted widely enough, there >are demonstratably *more* people with Javascript turned off today than >ever before. > >That means you can use Javascript to enhance the experience, but I'll >come over and rip your throat out (if I knew your address) if you make >it required for basic services. > >And don't forget the corporate firewalls that strip Javascript for >security reasons. And the hundreds of new "net devices" showing up >that understand HTTP and XHTML, but nothing about Javascript. > >Javascript. Just say no(t required). > >-- >Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 ><[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/> >Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. >See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! __ Gunther Birznieks ([EMAIL PROTECTED]) eXtropia - The Web Technology Company http://www.extropia.com/
Javascript - just say no(t required)
>>>>> "Gunther" == Gunther Birznieks <[EMAIL PROTECTED]> writes: Gunther> But I've also seen a lot of people use javascript to accomplish the Gunther> same thing as a quick fix. Few browsers don't support javascript. Of Gunther> the small amount that don't, the venn diagram merge of browsers that Gunther> don't do javascript and users with an itchy trigger finger is very Gunther> small. The advantage is that it's faster than mungling your own Gunther> server-side code with extra logic to prevent double posting. My browser "supports" Javascript, but has it turned off whenever I'm going to an unknown web page. Presuming that the CERT notices are being posted widely enough, there are demonstratably *more* people with Javascript turned off today than ever before. That means you can use Javascript to enhance the experience, but I'll come over and rip your throat out (if I knew your address) if you make it required for basic services. And don't forget the corporate firewalls that strip Javascript for security reasons. And the hundreds of new "net devices" showing up that understand HTTP and XHTML, but nothing about Javascript. Javascript. Just say no(t required). -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!