Please, can someone give an advice on www.airalgerie.dz, i discover this online reservation web site and i was surprised by the design: -session state is stored in the client side: hidden fields are heavily used -navigation flow between jsp pages is managed by...... javascript code -errors messages for validation are...."pretty too explicit"
I thought about similar approach. Client side state can be kept to a minimum: just primary keys of things like airports, flights, seats, etc referenced in current itinerary. Whole structure can be serialized into few hundred bytes (well within 4K cookie limit).
Regarding security, whole interaction can go over HTTPS. Payment submission form must use some kind indirect way of credit card identification anyway.
Also, whole session-containing cookie/hidden field can be encrypted/signed.
Now think about web-tier state. Hacker can intercept somebody's JSESSION_ID and book some flights. Unless... :-)
