On 1/20/07, Howard Lewis Ship <[EMAIL PROTECTED]> wrote:
I've been thinking about this as well. I think the most secure approach will be to store the serialized data in a temporary (embedded or flat file) database on the server, and send just a short, opaque identifier to the client. This has the added benefit of storing significantly less data on the client side (which might allow the use of GET for forms that do no modify externally persistent state). Certainly, "salting" the identifier with a session id, or other value that uniquely identifies the user, will be important. I can see two different "stores" for this data; one for unidentified visitors that "salts" with the user's IP address, the other that "salts" with the session id. Clustering issues will make this more complex.
Please don't force the use of a session. -- Massimo http://meridio.blogspot.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
