Blooper 9: Requiring Unneeded Data

The Web was originally designed with no notion of an extended session-a connected series of requests. Web servers receive requests for individual pages from around the Internet and respond by sending each page to its requester. Each request is treated independent of others. As a result, Web servers-and therefore websites-initially had no way to know that two successive page requests came from the same user .

Why was the Web designed this way? Because it was designed for sharing information, not for processing transactions. When people were just looking at archived documents and each other's Web pages, there was no problem.

When forms, scripts, and e-commerce were added to the Web, the problems of propagating data through a stateless system arose. Web implementers had to devise ways to let Web servers determine that a series of requests is from the same user, and ways to propagate data between pages.

It isn't so much of a problem when data is to be shared between forms on two successive Web pages. In that special case, the script processing the first form's data can load the next form with any data that carries over. The problem arises when there are intervening pages without data on them: Data collected on page 1 isn't needed on page 2 but is needed on page 3. Compounding the problem is that Web users can-and do-navigate unpredictably around a site, rather than in predefined paths.

To allow sites to propagate users' data throughout a site to avoid asking for it again, three quite different methods were devised: "hidden forms," "cookies," and "stuffed" URLs. A fourth, very different approach involving browsers is described afterward.

Hidden Forms

In this approach, every page has a form on it, but most pages hide them. All links from the page trigger a Submit script, which (among other things) passes the data to the next page. This is cumbersome and slow, because

• The form pages must be generated dynamically, in order to be filled in automatically by the scripts. The hidden forms method doesn't work for static HTML forms.

• A site's pages contain extra, invisible baggage, inflating their size and download times.

• All the data is sent back and forth between the browser and the server every time a link or button is clicked.

The "hidden forms" approach is now regarded as "old fashioned"; the next two methods are preferred.

Cookies

Website developers and browser makers devised a way for a website to send a small token-known as a cookie -to a Web user's browser and later retrieve it. The cookie identifies the site that issues it and assigns a unique ID to the user. It can also store other data. The browser saves the cookie and whenever the site asks for it sends it back. When a user accesses a page on a site, the site asks the user's browser if it has the site's cookie. If the browser has the cookie, it sends it back to the site. The site uses the cookie's user ID to retrieve the user's data from its database for use on the current page.

There are two types of cookies:

• Session cookies: Browsers store these in memory and delete them when the user navigates to a new Web domain (e.g., from Amazon.com to Powells.com ). Session cookies allow sites to track a user through a session.

• Persistent cookies: Browsers store these in disk files and don't delete them until asked to by the issuing domain or the user. Persistent cookies allow sites to recognize returning users and relieve them of the need to log in every time they revisit a site.

Cookies are the primary way websites avoid asking users twice for the same data. For example, ACSCSN.org achieves a single site-wide login by setting a login cookie on the user's computer and having all restricted functions check for the cookie. If the cookie is absent, the user is asked to log in before he or she can access the function.

However, cookies are controversial , especially persistent ones. They can be abused to track individuals around the Web, violating their privacy. Although a given Web domain can check only for its own cookies, banner ads can issue and check for their own cookies, from all the sites on which the ad appears. Web advertisers sometimes do this. Some Web users dislike the idea of being tracked. Another problem is that persistent cookies consume space on users' computers. Although the amount of space cookies require is usually miniscule, some people don't like the thought that any website they visit can put cookies on their computer. Based on these concerns, some Web users set their browsers to refuse some or all cookies. Sites that rely on cookies may not work properly for such users.

Browser makers such as Netscape and Microsoft have tried to address concerns about cookies. Newer browsers give Web users more control over what cookies their browser accepts and allow users to examine and delete persistent cookies. However, the tracking problem remains. Browser makers and architects of the Web could help alleviate concerns about cookies by making it harder to abuse them.

Stuffed URLs

Another way to follow users from page to page in a site involves " stuffing " the URL of a destination page with data from the current Web session (visit), such as a unique session ID. For example,

 <a href="checkout.html">Checkout</a> 

would be sent as either

 <a href="checkout.html?id=543XYZZY"> Checkout</a> 

or

 <a href="checkout.html?email = FredFlinstone@bedrock.net">Checkout</a> 

The site receives the URL and sends the page, either augmenting it directly with the user's data or using the session ID to fetch the user's data and then augmenting the page.

Of course, this method results in long, complex URLs most users can't decipher. Such URLs also make poor bookmarks. If the appended data is more than just site-generated unique session IDs, such as an email address or telephone number, there are more serious disadvantages: (1) The data is transmitted unencrypted over the Internet, where it can be intercepted, and (2) the data becomes part of the site's permanent Web log, where many people can access it.

Designers of Web protocols and browser companies could improve this situation by devising a way for browsers and websites to pass session data-preferably encrypted-without appending it to URLs.

Browser-Based Solution: Automatic Form Fill-in

Browser makers recently began offering their own solution to the "repeated request" blooper. Newer browsers can detect forms on displayed pages and offer to fill in data automatically. The browser either remembers the data from previous website forms the user filled out or gets it from a special user-profile form the user filled out.

This approach assumes-probably correctly-that Web users don't care how the "repeated request" problem is solved ; they just don't want to have to reenter data. It shifts the responsibility for remembering data from websites to the browser.

The problems of browser-based form fill in are as follows :

• Not all browsers provide it yet.

• Few Web users use it, even if their browser provides it.

• Browsers sometimes miss data fields for which they have data.

• Browsers sometimes fill in data fields incorrectly.

Web developers can foster browser-based automatic form fill-in by using semantic page-description languages such as XML instead of HTML and by tagging data fields in standard ways. For example, if email address fields in all forms were tagged "<email_addr>," browsers could recognize them reliably.

Browser-based automatic form fill-in may eventually be the dominant way the "repeated request" problem is solved. Until then, the burden is on site developers, who have to do whatever they can to avoid asking their users for data repeatedly.