to the next script along with any real inputs, to serve as context. The net effect provides
context for an entire input form, not a particular hyperlink. An already entered user-
name, password, or selection, for instance, can be implied by the values of hidden fields
in subsequently generated pages.
In terms of code, hidden fields are generated by server-side scripts as part of the reply
page’s HTML and are later returned by the client with all of the form’s input data.
Previewing the next chapter’s usage again:
print('<form method=post action="%s/onViewSubmit.py">' % urlroot)
print('<input type=hidden name=mnum value="%s">' % msgnum)
print('<input type=hidden name=user value="%s">' % user)
print('<input type=hidden name=site value="%s">' % site)
print('<input type=hidden name=pswd value="%s">' % pswd)Like query parameters, hidden form fields can also serve as a sort of memory, retaining
state information from page to page. Also like query parameters, because this kind of
memory is embedded in the page itself, hidden fields are useful for state retention
among the pages of a single session of interaction, but not for data that spans multiple
sessions.
And like both query parameters and cookies (up next), hidden form fields may be visible
to users—though hidden in rendered pages and URLs, their values still are displayed
if the page’s raw HTML source code is displayed. As a result, hidden form fields are
not secure; encryption of the embedded data may again be required in some contexts
to avoid display on the client or forgery in form submissions.
HTTP “Cookies”
Cookies, an oextension to the HTTP protocol underlying the web model, are a way for
server-side applications to directly store information on the client computer. Because
this information is not embedded in the HTML of web pages, it outlives the pages of
a single session. As such, cookies are ideal for remembering things that must span
sessions.
Things like usernames and preferences, for example, are prime cookie candidates—
they will be available the next time the client visits our site. However, because cookies
may have space limitations, are seen by some as intrusive, and can be disabled by users
on the client, they are not always well suited to general data storage needs. They are
often best used for small pieces of noncritical cross-session state information, and
websites that aim for broad usage should generally still be able to operate if cookies are
unavailable.
Operationally, HTTP cookies are strings of information stored on the client machine
and transferred between client and server in HTTP message headers. Server-side scripts
generate HTTP headers to request that a cookie be stored on the client as part of the
script’s reply stream. Later, the client web browser generates HTTP headers that send
back all the cookies matching the server and page being contacted. In effect, cookie
Saving State Information in CGI Scripts| 1177