8.3.3 CGI Guidelines

When writing a CGI program, keep the following guidelines or conditions in mind:

• CGI programs must be written to be non-interactive. They take a set of input data, process it, and produce output.

• While the CGI program is running, the user is waiting for a response in the Web browser. CGI programs should be kept small and do their job quickly to reduce the user wait time.

• If users get tired of waiting and press the Stop button on their browsers, the Web server will generally kill the CGI program. The output from the CGI program is discarded.

• One of the limitations of CGI is that it does not automatically maintain any state information. It is the CGI programmer's responsibility to record state information in a file or database and then encode a "key" to that state information in the HTML output.

For example, if a client invokes a CGI program to "log in" to your application or to add an item to his/her "shopping cart", the CGI program must record that fact along with any user identification information in a file or database. When the CGI program generates the HTML output, it should encode a user ID or key in a CGI variable that will get passed to the next CGI program that the client invokes. The next CGI program can then look up the user state information (for example, shopping cart contents) from the database. The user state information should also include a date/time "stamp" so that a maintenance program can delete records for users who haven't logged in a specified amount of time or who left the application without logging out.