Hi Bil, Thank you for your thoughtful reply. And especially for your last sentence. That is a motto I will keep in mind. I would indeed manage the authenticity and authorization on the server side as well but felt the use of a framework was overkill. I will have to review the framework features that address security to see if they are worth the added complication or whether I can manage those needs in my own code. I do that in the Windows apps already so my model would be to carry that security to the server side (acknowledging that Windows apps do not have as high a security risk as web apps).
Thanks again, John > Date: Sun, 13 Jul 2008 08:25:43 -0500 > From: [EMAIL PROTECTED] > To: jquery-en@googlegroups.com > Subject: [jQuery] Re: jQuery and RIA design > > > john6630 wrote on 7/12/2008 9:31 PM: > > I have studied the jqModal plug-in and Alexandre Plennevaux's tutorial > > on using this with an IFrame. It seems to me, I can emmulate my > > windows programming approach using a main page with navigation which > > launches various other pages using jqModal and Ajax. If that is > > possible, won't the stateless issue be resolved since I can use global > > variables on the main page to store autorization, activity, state, > > etc.? It seems this would be an exact fit to my current programming > > process. It also would not require a "framework" since my app is > > essentially the total framework. > > You could code a webapp like this, where it's driven from a master page on > the client side. The issue is if the client is responsible for storing > authorization, state, etc, then a malicious user could circumvent your > authorization and change their state. That's why the proliferation of > server-side frameworks; they provide the scaffolding you need to build a > secure web app (a way to maintain the state of the client, a way to authorize > them, etc). > > The #1 rule for secure webapp programming is to treat all client input > (headers and request) as hostile until proven otherwise (or sanitized). > > > - Bil >
