This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: Gunther Birznieks <gunther@extropia.com> From: merlyn@stonehenge.com (Randal L. Schwartz) Subject: Javascript - just say no(t required) Date: 04 Jan 2001 18:00:48 -0800 >>>>> "Gunther" == Gunther Birznieks <gunther@extropia.com> writes: Gunther> But I've also seen a lot of people use javascript to accomplish the Gunther> same thing as a quick fix. Few browsers don't support javascript. Of Gunther> the small amount that don't, the venn diagram merge of browsers that Gunther> don't do javascript and users with an itchy trigger finger is very Gunther> small. The advantage is that it's faster than mungling your own Gunther> server-side code with extra logic to prevent double posting. My browser "supports" Javascript, but has it turned off whenever I'm going to an unknown web page. Presuming that the CERT notices are being posted widely enough, there are demonstratably *more* people with Javascript turned off today than ever before. That means you can use Javascript to enhance the experience, but I'll come over and rip your throat out (if I knew your address) if you make it required for basic services. And don't forget the corporate firewalls that strip Javascript for security reasons. And the hundreds of new "net devices" showing up that understand HTTP and XHTML, but nothing about Javascript. Javascript. Just say no(t required). === To: <modperl@apache.org> From: Gunther Birznieks <gunther@extropia.com> Subject: Re: Javascript - just say no(t required) Date: Fri, 05 Jan 2001 10:29:29 +0800 Yeah, but in the real world regardless of the FUD about firewalls and the like... The feedback that I have had from people using this technique is that the apps that have had this code implemented experience dramatic reduction in double postings to the point where they no longer exist. And the code I posted is not making the basic application unavailable. It just allows double-postings if javascript is not enabled which in practice isn't that much when you consider the intersection of people who double click and the people likely to have JS disabled. For a heavily used site, I would recommend ultimately a better server-side solution because the amount of time to develop and maintain a server side solution is "worth it", but it's not as easy and quick to fix an app in this respect as it is to add a quickie javascript fix for the short-term or for an app that it's not worth spending more time on. There's a lot of similar FUD about using cookies (not accepted on PDAs, people scared of them, etc). Personally, I don't like to program using cookies and I have my browser explicitly warn me of the cookie before accepting (which does slow down my browsing experience but is most interesting),, but the reality is that shedloads of sites use them to enhance the user experience but don't make it a problem if they don't go and use them. Anyway, whatever. Happy New Year! :) Speaking of which, I guess the non-use of Cookies and JavaScript would make a great NY Resolution... === To: Gunther Birznieks <gunther@extropia.com> From: merlyn@stonehenge.com (Randal L. Schwartz) Subject: Re: Javascript - just say no(t required) Date: 05 Jan 2001 08:13:13 -0800 >>>>> "Gunther" == Gunther Birznieks <gunther@extropia.com> writes: Gunther> There's a lot of similar FUD about using cookies (not accepted on Gunther> PDAs, people scared of them, etc). Personally, I don't like to program Gunther> using cookies and I have my browser explicitly warn me of the cookie Gunther> before accepting (which does slow down my browsing experience but is Gunther> most interesting),, but the reality is that shedloads of sites use Gunther> them to enhance the user experience but don't make it a problem if Gunther> they don't go and use them. I'm fine with requiring and using cookies for short-term session management, but for long term authentication, they presume "one user == one browser", and that's patently false. If you must use them for long term identification, make it very clear that I'm "logged in", and give me a quick way to "log out", and let me "log in" from a different browser, and automatically "log me out" after 4 hours or so in case I forget. :) And don't do that merely by browser cookie expiration... make the server distrust any cookie after that time, which means you have to generate a unique cookie on each login. Gunther> Speaking of which, I guess the non-use of Cookies and Gunther> JavaScript would make a great NY Resolution... What does New York have to do with it? :) ===