I'm sure many of you have travelled this route.

What are the main things to consider/lookout for when a desktop app developer first steps into the web development world?

+10  A: 

Sessions! HTTP is stateless. Consider how you will store data across page jumps.

ASP.NET State management:

PHP Session Management:

Edit: A few people have mentioned cross site scripting. Take a look at this link for the kind of lengths people will go to to attack your site:

Mark Ingram
+1  A: 

The browser has a 'back' button, and you will need to learn how to work around it :-(

+4  A: 

Security security security!

All good web-programmers should know how to code against common vulnerabilities. Unfortunately most don't and almost all book-examples of code tutorials contain common security holes.

The OWASP Guide to Building Secure Web Applications and Web Services should be compulsory reading for any web developer that wishes to take security seriously (which should be all web developers). There are many principles to follow that help with the mindset required when thinking about security.

If reading a big fat document is not for you, then have a look at the video of the seminar Mike Andrews gave at Google a couple years back about How To Break Web Software.


I would suggest learning web standards and best practises. Don't rely on tables to do your layout. Separate you layout from your content (html, css).

Therefore, I would suggest learning how to create web pages before doing any programming.

+1  A: 

The only real thing which would help you that comes to mind is using the W3 Validator often. Rather than writing everything and then either never trying to get the page to validate, or waiting until the end to write in tons of small fixes to get the page to validate, you can just make sure you are writing HTML in a standard way which will work on nearly all compliant browsers. Plus, you get to put a neat link on your page to show off you took the effort to follow the web standards.

+1  A: 

I totally agree to Mark Ingram and HockeyWhiteBoy.

In addition to cheekysoft: You should know what cross-site-scritpting, cross-site-request-forgery and sql-injection are and how to protect your applications from them! Never trust userinput! Never trust client-side validation!

+1  A: 

I would go with many others any point out security. On desktop apps, the only person most users can hurt is themselves. When there's a vulnerability on a web app, it affects the whole user base, as well as the company creating the web app.

Another big thing is to understand the way the web works. Understand how form posts are done, where the post, querystring, and cookies actually come from. Understand the difference between client side and server side code, and what the limitations are of each.