About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

Client Side, Server Side, Dark Side

If you are seeing this message it is because you have JavaScript turned off.
 - Jackass Design Inc

We're sorry, but this website requires you to enable cookies in your browser.
 - Dodo Webmedia LLC


Cookies, JavaScript, and Java represent client side technologies. They're executed or stored on the 'client side' - on your machine. They're the Dark Side.

If something bad is going to happen to your computer, it will happen because bad code executed on it. If all your browser can do is read HTML formatted text, nothing can happen.

Anyone surfing the web today with cookies, JavaScript, and especially Java turned on by default should have their licence revoked. Anyone not cleaning their cookie cache after a session should have to go back to school.


Cookies represent an early attempt at state-controlled web transactions. The technique is simple: when your browser accesses a host it is sent a 'Set-Cookie' directive together with a mumbo-jumbo gobbledegook number expressed as a character string. When your browser next accesses that same host it offers back the same cookie. The server can then know you are you.

Some webmail sites use cookies to make sure your account is not being accessed by anyone who doesn't have a right to go in there. Once you sign in with username and password, the sites send back a cookie or two so your browser can continue to identify you as a legit account holder.

Cookies also have domain fields: the host sending the Set-Cookie directive will specify for which domains the cookie value is to be returned. And they have expiry dates too, and they can be marked session-based or persistent.

Before leaving office, Handsome Bill asked websites to stop using persistent cookies - period. Not many webmeisters paid this any heed. Google today are infamous for using persistent cookies - and for setting the expiry date to the maximum value possible with 32-bit Linux: the year 2038.


Cookies have been misused and abused from day one. Notorious DoubleClick use them to track where you go. More and more media companies require not only authenticated login to read news stories but a cookie so they can see exactly where you go. They're watching you and they're hoping you're sloppy and forget to clean your cookie cache afterwards so they can continue to keep an eye on you.

Tracking statistics can be sold for big bucks to marketing companies. Wherever you go you're noted for who you are and what you like. You're not anonymous, even if they don't have your name address and phone number - yet.

Sweepstakes offers come in a never-ending stream of spam: once you've enabled cookies, you can sign in for a long-shot chance at perhaps a Mongolian toaster. These sites do ask for your personal information - and once they've got it can use the cookie your browser keeps sending back to know exactly where Mrs Myra McNutcase of 123 Winnebago Avenue Dirt Springs went surfing last week - and the week before that and the week before that.

The wonder of it is that there are websites out there functioning as discussion forums where all people do is exchange information about new sweepstakes to enter. And each time they take the bait, the idiots are further compromised.


If cookies are a misdemeanour, then JavaScript is a felony. Explicitly denying script code access to the local machine is a design goal, not a reality. Platform vendors still have to implement their use of JavaScript, and accidents - and worse - can and do happen.

And then of course there's always Microsoft. The Redmond Vole tried deliberately to undermine standards by moving their code into proprietary modules so that site visitors wouldn't be able to make web pages work if they weren't running Windows. One hundred nineteen corporations signed the agreement with Sun Microsystems; one hundred eighteen have dutifully been playing by the rules all along. One did not - and it was later revealed they broke the rules deliberately in an attempt to break the standard.

There is nothing inside your computer to stop JavaScript from doing something dumb or dirty.

The Safari web browser is supposed to block all popups, and yet users with JavaScript turned on notice some popups can still creep through. All popups are generated by JavaScript; Safari does a fair job of determining which code calls represent popups; but the mongrels out there get more clever by the day. The only way to make sure you will never get a popup on any browser is to leave JavaScript off.


JavaScript is not supposed to touch your local machine, but Java can. Some mail clients still have a toggle for enabling Java - as dumb as one can find. Mail is text and no more and should be treated as such. Even JavaScript in mail should be outlawed. But Java is a step over the brink into something much worse.

Java applications are true applications: they're platform-independent code and as such can run anywhere and be transported to any destination. And when they arrive they're expected to be able to do the same things as any other applications do.

Isn't it a nice feeling knowing a remote site can at any time decide to leverage a bomb to your computer through your browser - and you might not even be made aware of it?

Cookies, JavaScript, and Java all represent 'client side' technologies. They're called 'client side' because they execute or are stored on the 'client side' - your computer. But again: they're an early attempt to get things running on the World Wide Web. Thankfully things have progressed a lot further now.


For IT namely found a safer way to do the same things that legit sites did with cookies and JavaScript. They're mostly using PHP, Perl, and Python today. And the half-awake surfer will notice after a while that some sites seem capable of doing all of what older sites are doing - but without using cookies, or JavaScript, or Java. That's because their webmeisters went back to school and learned how to do things better.

Code that executes on the server side will never reach your computer. Your browser remains a 'reader' only, picking up the HTML and rendering it on your screen. No code is being executed. When it's text and nothing but text, nothing can harm you: text can't 'execute'. You're safe.

Server side technologies can still establish state-controlled transactions but they do it on their side and not yours. There is nothing stored on your computer. You can see they're not the same because you can access these sites without having cookies turned on and can still authenticate who you are and keep your 'conversation' going.

These webmeisters went back to school and took the time to learn to do things right.


Any website that demands you use cookies, JavaScript, or Java is putting you at risk. Any website using client side technology is not running in your best interests.

Sometimes a polite but firm letter to those responsible can help.

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.