I think there are two distinct issues here:
1. Is it safe? In other words, does it prevent a malicious user from changing parameters by editing the URL? No, it doesn't. This may not matter to you; a user changing 'choice=1' to 'choice=2' may be no different from if he'd backed up and switched a checkbox. But if he can change something like 'paid=no' to 'paid=yes', that may be a big problem. It depends on the data you're passing through the URL, and what he could affect by editing it.
2. Is it likely to break the functionality? Funny stuff happens with the back button and dynamic pages, depending on server and browser cache settings and other things. You really can't control what happens when they back up, whether their browser fills in the fields as they were before, or whether it submits the same form info that created the previous page, etc. So each step in your process has to be able to handle the fact that the browser could send anything (or nothing) any number of times for that particular step.
Sessions are the way to go, whether your powers-that-be like it or not. If you're concerned that someone will refuse cookies, you can pass a session key in the URL, but still keep your sensitive data on the server end, preventing users from editing the data directly.
Aaron B.
Available for small or large Perl jobs; see my home node.
In reply to Re^5: Browser behavior in remembering parameters
by aaron_baugher
in thread Browser behavior in remembering parameters
by perlrookie1
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |