This FAQ explains to web site developers why you should stop requiring
also gives you a number of techniques to get the same effects without
can't do with normal HTML. The techniques presented here for removing
Remember, the more accessible your site is, the more potential customers
you have. If Amazon.com can do it, so can you.
This FAQ contains three sections:
If you have any questions that are not answered by this FAQ, or if you
have any comments, please send e-mail to
Last update: 20 May, 2004
Most of the truly glaring security holes have been fixed, but it still
requires vigilance on the part of site maintainers. If you require
Rather than re-hashing lots of arguments on this subject, here are some
links that provide this information:
of blind people use Lynx -- in fact, some people have threatened to sue
sites for non-compliance with the Americans with Disabilities Act (ADA)).
For another take on this issue, see
"This page optimized
specific, but about the perils of requiring any form of browser-specific
still need to write that code on your web server. Otherwise, you're
vulnerable to any hacker or script-kiddie who reverse-engineers your
source on each of your web pages). I personally have many times
needed area on a web server. Once you start duplicating your code, you
then have a problem synchronizing the code between what you've got in
(Some people have told me that they write code in an intermediate
language that generates both client-side and server-side code. It's not
clear to me how reliable that is if a specific browser is not required.)
- What about cookies?
persistent, if you use them for storing login name and password, you
present a security risk because most people use machines that have no
security (Win95/98 and Macintosh). (Even with OSes that provide
security, such as WinXP and OS X, it's likely that few people will
follow good security practices.) From the developer side, the big
problem with using cookies is that many people use multiple browsers on
multiple machines; if you're going to solve that problem, you might as
well skip cookies in the first place.
Non-persistent session cookies can work fairly well, and most newer
browsers can distinguish between persistent and session cookies.
However, people sticking with older browsers are more likely to just
reject all cookies (and there are good reasons for sticking with older
browsers -- many people prefer the cleaner interface of Netscape 3, for
example). There's also the issue of cross-site cookies (particularly
ads) violating privacy; again, newer browsers provide methods for
dealing with this, but it's still usually easier to completely turn off
Cookies are probably the lesser evil for maintaining session IDs at
least. Putting session IDs in the URL can be made secure, but it's
somewhat more cumbersome, and it looks ugly. In the end, though, with
For starters, it's a lot easier if you thoroughly familiarize yourself
with the standard HTML tags. My favorite reference is the
Bare Bones Guide
to HTML, which is available at
Here's a simple example that demonstrates how one can still use
- Don't use
Using a straight
http: URL will allow any browser to access
onClick attributes of the
<a href> tag.
fail because they don't include an HTML submit button:
- How do I create popup windows?
target="_blank" attribute of the
<a href> tag.
Overall, though, I recommend against using
- How do I perform redirects?
instead, use an HTTP redirect or
<a href="foo.html" target="_blank" onClick="window.open(blah);
These are mostly sites that I have personally used to purchase products
(some of which are local to the San Francisco Bay Area);
sites that are suggested by other people are marked with "??". Sites
that I particularly like are marked with "!". Some of these sites have
can all be accessed with
Lynx, a text-only browser that
Some sites don't work with Lynx but do work with a couple of other
Links (can be compiled with
Some of these sites have been notorious for poor privacy policies in the
past, but I'm not addressing that issue here.
Copyright 2001, 2002, 2003, 2004, 2006 by Aahz
Several people have contributed information and comments, but Jon Ribbens
(jon(at)unequivocal(dot)co(dot)uk) deserves special mention.
Return to Aahz's home page