Ted Ashton wrote:

>There seems to be some confusion.  What I was recommending was not URL
>rewriting (specifically because of the concerns above), but rather including
>a hidden field in the form (as mentioned previously).  While you will lose a
>session which uses these if you browse elsewhere and do not return via the
>Back button, the other things mentioned are not a problem.  Moreover, I expect
>that you will find this one particular problem to be quite rare.

I seem to be misunderstanding your statement regarding the hidden field in a form.  I apologize if so.

I do agree that the session id must be placed as a hidden field in a form, and all forms that may be on that page.  In addition to the forms, the session id must be appended, as a cgi parameter, to all hyperlinks  that are on that page which point to other pages in the same site.  Thus, the session id is passed to the cgi through all hyperlinks.  If the id is not passed, state is lost.  Also, when you are on this current page, if you are trying to maintain state, the session id must have gotten passed to the cgi from the previous page, whether a forms post/get or a hyperlinks get parameter.

My gut feeling tells me that you know this, but I hope it clears up my misunderstaing of what you are trying to say.

regards,

Evan Vaala