You have some page with an edit box and a submit button. When you submit, the data in the box transfers to the server, which displays a new page, which relies on session data to print something to your screen.

Your challenge is to create an application where the behavior of the second page can't be manipulated by by altering the URL.

The reason I don't quite understand the question is that I don't know how the contents of the text box gets to the server in the first place. Certainly once the text is on the server, if the server relies on closures for the second page, then it cannot be manipulated. Say it's http://arclanguage.com/second/cid=3. You can't change that pages because by the time you hit that URL, the text is already in the server and it operates with closures.

OK, I get that part. The part I don't understand is... the data has to get to the server sometime. If you're making a post to http://arclanguage.com/first then you can _effectively_ change the second page by altering the data then. So perhaps it's not in URL; that is, not like http://arclanguage.com/first?text=the%20entry. It's POSTDATA or whatnot. But you can still manipulate post data.

If it satisfies your challenge to say, the data gets to the server by a POST on http://arclanguage.com/first, and then the web server stores the state in a closure and forwards to http://arclanguage.com/second, which displays some things, why would it not be sufficient simply to POST to http://arclanguage.com/second ?

Is the important point the fact that the data _entered_ /first and was used in /second?