andrh...@hotmail.com wrote
I agree with ya. I have been doing something very similar with hidden fields in my app for some time.
If every request in your app is a POST, or if every link in your app is javascript that causes a POST, that's fine. I like using actual links, though, which result in GETs, so the only way to include this token in every link results in ugly, non-human-readable, likely not bookmarkable URLs. I work very hard to make sure that my apps have clean, human-understandable urls, so I find this "solution" more of a problem than the "one login session per http session" restriction. I would also find a site designed this way to be quite annoying to use, as I often open multiple windows/tabs/etc. *expecting* them to be within the same "conversation".
-Dale --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
