Why not POST requests for anything that changed server-side state?

Obviously that is the solution. I know that now, I didn't then. (As I wrote: "I did eventually fix it by switching to forms.")

The whole thing about POST vs GET that everyone knows today for read only vs write was not that well known back then.

Back then you used GET for things with a small number of variables, and POST when you expected enough data that it wouldn't fit in the URL. It was all about the URL, not about the effect of the request.

Ah, I see. Should have picked that up.

I guess there was no Wikipedia to have an article for HTTP back then, which has been an invaluable resource for me to understand some of the intricacies in my work.

I remember those days. Those days only two methods existed, GET and POST! ;)

htaccess would have been your friend. How did you prevent any visitor from deleting the site?

> htaccess would have been your friend

htaccess didn't exist in 1996.

This site ran on IIS 1.0 on Windows NT 3.51. For scripting we used a prerelease Coldfusion version. (i.e. the version before 1.0, which was released as we were developing the site, partially based on feedback we provided as we tested it.)

> How did you prevent any visitor from deleting the site?

A security token in the url which was secret. The worry was that some admin would try to submit the site to altavista for indexing without removing the token from the url first.

> htaccess didn't exist in 1996.

Obviously not for IIS, but .htaccess files go back at least as far as NCSA httpd, and so definitely existed before 1996.

> This site ran on IIS (anything)

There's your first problem.

Unnecessary condescending snark.