How does this eliminate the need for cookies? ... No matter how much you can save on the server side, HTTP is stateless and you need some piece of data coming from the client to indicate that this request is tied to a previous request ...

For example, take a look at Web Authoring System Haskell. It records a journal of client-server interactions, sends this journal to the client as part of every response (in a hidden field in an HTML form), and when the form is submitted, it replays the journal on the server to recreate the state.

Cheers,
Tom

Whether you send the data to the client as a hidden field in a form, or as a cookie it's basically the same thing. And by using a cookie you can be sure that the data will be in every request the user sends (GET's, links, images, media, etc) from then on, not just the results of a form.

While this would reduce the need for server side storage of sessions, this can already be done. There are lots of people who instead of sending a session id in the cookie (or hidden field) will send a serialized version of an object or hash which they can then unserialize at the next request.

-- More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk. -- Bruce Schneier

Whether you send the data to the client as a hidden field in a form, or as a cookie it's basically the same thing.

Not really. The complete-state-in-a-form method allows for easy session forking. It also allows users to undo state transitions by backing up into the browser history. Cookies don't support either of these.

Cheers,
Tom

Tom Moertel : Blog / Talks / CPAN / LectroTest / PXSL / Coffee / Movie Rating Decoder

This sounds horribly insecure to me. How do you stop the client from changing the state into one it shouldn't.

I think I'll keep cookies with a randomly-generated ID crossreferenced to a database.

"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

How do you stop the client from changing the state into one it shouldn't?

It's easy: cryptographically sign the state.

Tom Moertel : Blog / Talks / CPAN / LectroTest / PXSL / Coffee / Movie Rating Decoder

How do you stop the client from changing the state into one it shouldn't.

Encryption

Storing the session state in the form sent back to the browser may have security implications if it reveals internal server information. In addition, the session state often contains sensible user input, like passwords. WASH/CGI addresses both concerns by providing a one-time pad encryption for the session state.

20050705 Janitored by Corion: Moved (broken) link from a tag into [http://