AJAX, the back button, and the tribulations of the web application metaphor

Lately, I have been reading a large number of posts about the loss of "browser metaphors" in AJAX applications. The biggest beef is generally the reduced or eliminated functionality of the back button in the browser, but other complaints such as:

• Loss of state
• Insecure traffic
• Network inavailability
• Inconsistent frameworks
• Did I mention the back button?

The salient point here is that the Metaphor has changed. While I think that there are good points here (especially from the loss of state perspective), the majority of these gripes have more to do with a lack of comfort with a new metaphor than they do with the value in a new paradigm...

First of all, the "back" button is a non-issue. This is not a problem with the AJAX method, this is just lazy programming (something that I have done just as badly as anyone else, I must add). The metaphor for an AJAX application has a lot more to do with a desktop app. than with a web application. Think about it. Web 1.0 applications are largely HTTP POST based, and are (other than the post/get process itself), largely immune to the vagaries of the back button, or even closing the browser window. AJAX apps on the other hand are a lot more like desktop applications. Clicking back is a lot like closing the program for a desktop app. If your AJAX app has situations where a back button would be useful, an UNDO button would probably be a good idea. Really, this is what the back button complaint maps to most of the time: lack of undo.

As for the security issue, This is mostly just more of the same. If your regular DHTML/Server Side application is insecure on one of the posts, then your ajax app (having more frequent data interchange) is going to be MORE insecure. OTOH, if you run all your data channels over SSL, do not store exploitable cookies (oops), and avoid all the other XSS/SQL injection issues, then you are probably no worse off with AJAX.