Saving State on the WWW

Similar documents
Computer Networks. Wenzhong Li. Nanjing University

Lecture 9a: Sessions and Cookies

CSC 4900 Computer Networks:

Server-Side Web Programming: Python (Part 1) Copyright 2017 by Robert M. Dondero, Ph.D. Princeton University

CS105 Perl: Perl CGI. Nathan Clement 24 Feb 2014

Web, HTTP and Web Caching

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

CSC 401 Data and Computer Communications Networks

The Application Layer: SMTP, FTP

3. WWW and HTTP. Fig.3.1 Architecture of WWW

CN Assignment I. 1. With an example explain how cookies are used in e-commerce application to improve the performance.

1-1. Switching Networks (Fall 2010) EE 586 Communication and. September Lecture 10

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

CSC309: Introduction to Web Programming. Lecture 8

Lecture 3. HTTP v1.0 application layer protocol. into details. HTTP 1.0: RFC 1945, T. Berners-Lee HTTP 1.1: RFC 2068, 2616

CSC 257/457 Computer Networks. Fall 2017 MW 4:50 pm 6:05 pm CSB 601

WEB TECHNOLOGIES CHAPTER 1

CS144: Sessions. Cookie : CS144: Web Applications

CS 161 Computer Security

Information Security CS 526 Topic 8

CS 43: Computer Networks. 12: and SMTP September 28, 2018

Information Security CS 526 Topic 11

Application Level Protocols

Authentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford

A. Getting Started About e-access Enrolling in e-access: Authenticating your account Login... 5

Software LEIC/LETI. Lecture 20

CGI Architecture Diagram. Web browser takes response from web server and displays either the received file or error message.

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

Web Engineering (CC 552)

Unraveling the Mysteries of J2EE Web Application Communications

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

CS 5450 HTTP. Vitaly Shmatikov

Electronic Mail. Three Components: SMTP SMTP. SMTP mail server. 1. User Agents. 2. Mail Servers. 3. SMTP protocol

Managing State. Chapter 13

5/19/2015. Objectives. JavaScript, Sixth Edition. Saving State Information with Query Strings. Understanding State Information

Chapter 2. Application Layer

ReST 2000 Roy Fielding W3C

CMSC 332 Computer Networking Web and FTP

Review of Previous Lecture

MEMBERSHIP & PARTICIPATION

MEMBERSHIP & PARTICIPATION

Layered Model. DoD Model. ISO/OSI Model

HttpServlet ( Class ) -- we will extend this class to handle GET / PUT HTTP requests

Media Library Help Guide

HTTP/2: What You Need to Know. Robert

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Session 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers

Security. 1 Introduction. Alex S. 1.1 Authentication

The HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1

EEC-682/782 Computer Networks I

Chapter 2: outline. 2.6 P2P applications 2.7 socket programming with UDP and TCP

Networking. Layered Model. DoD Model. Application Layer. ISO/OSI Model

ReCPro TM User Manual Version 1.15

ASP.NET State Management Techniques

Server-side computing

CSC 482/582: Computer Security. Cross-Site Security

Chapter 2 Application Layer

Chapter 2: Application Layer. Chapter 2 Application Layer. Some network apps. Application architectures. Chapter 2: Application layer

Chapter 8 Web-based Information Systems

GET /index.php HTTP/1.1 Host: User- agent: Mozilla/4.0

Welcome to Cart32, Sincerely, Cart32 Support Team

Chapter 2 Application Layer

The CartIt Commerce System Installation Guide

CS 43: Computer Networks. HTTP September 10, 2018

About the Authors. Who Should Read This Book. How This Book Is Organized

Information Network Systems The application layer. Stephan Sigg

CS6120: Intelligent Media Systems. User Models. How is User Model Data Obtained? 11/01/2014

COSC 2206 Internet Tools. The HTTP Protocol

Building a Web-based Health Promotion Database

Wireshark HTTP. Introduction. The Basic HTTP GET/response interaction

CMPE 151: Network Administration. Servers

Dynamic Documents. Kent State University Dept. of Math & Computer Science. CS 4/55231 Internet Engineering. What is a Script?

Table of Contents...2 Abstract...3 Protocol Flow Analyzer...3

Chapter 10 Web-based Information Systems

Oracle Sourcing Support Helpdesk: Telephone: > Option

WEB SECURITY: WEB BACKGROUND

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Chapter 10 Web-based Information Systems

The 4D Web Companion. David Adams

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

USER GUIDE. EBMS SECURE MailGate

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Jeff Offutt SWE 642 Software Engineering for the World Wide Web

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Analytics, Insights, Cookies, and the Disappearing Privacy

HyperText Transfer Protocol

Chapter 2 Application Layer

Web basics: HTTP cookies

Chapter 2 Application Layer

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSCD 303 Essential Computer Security Fall 2017

Media File Options. Deployment and Ongoing Management CHAPTER

CSE4344 Project 2 (Spring 2017) Wireshark Lab: HTTP

1/6/ :28 AM Approved New Course (First Version) CS 50A Course Outline as of Fall 2014

Application Protocol Breakdown

Handout 31 Web Design & Development

Chapter 2: outline. 2.6 P2P applications 2.7 socket programming with UDP and TCP

13. Databases on the Web

Project A: Extending Microblog

Lecture 04: Application Layer (Part 01) Principles and the World Wide Web (HTTP) Dr. Anis Koubaa

Transcription:

Saving State on the WWW The Issue Connections on the WWW are stateless Every time a link is followed is like the first time to the server it has no memory for connections Why Bother To Fix This? By saving state we can Save configuration information between sessions Make adaptive websites (change themselves to suit user s behaviour) Enable e-commerce applications (shopping carts) Violate users privacy by tracking which websites and webpages they visit 1

Saving State In General Methods of Saving State Cookies Session-level authentication forms URL Rewriting Method 1: Cookies Basic idea Client stores data for the server Client sends data to server with each request Details (Version 0) Required fields: name=value Optional fields: domain, path, secure, expires Size: maximum 4 kilobytes Number: maximum 1024 cookies 2

Aside: Cookie Concept Cookie is a computing term from long ago. According to The New Hacker s Dictionary: Something passed between subroutines or programs that enables the receiver to do something useful The thing being passed is opaque to the sender (e.g. time_t type C libraries use) Cookies are also small The phrase it hands you a magic cookie means it returns a result whose contents are not defined but which can be passed back to the same or some other program later. [source for quote at end] Cookie Examples Examples at course website time1.cgi vs. time2.cgi Compare form method with cookie method cookie-colour One program to write cookies One program to read cookies Use env.cgi to see cookies in headers Method 2: Session-level Authentication See 12.2 (Basic Authentication) in HTTP: The Definitive Guide by David Gourley & Brian Totty, 2002 by O'Reilly & Associates, Inc. (ISBN: 1-56592-509-2) Session (from ISO Reference Model) Logical communication between two network end points Sessions are composed of requests and responses that occur between applications in different network hosts. In browser terms a session is the longevity of the O/S process 3

The Steps of Basic Authentication 1. Browser requests resource from server application usually with GET protocol 2. Server replies with code 401 (authorization required) 3. Browser prompts user for name & password 4. Browser resends request including the name & password (in the network header) Every time the browser makes a request for that resource it will send the name & password, until the end of the session The name & password are like a cookie that is stored in RAM Because they are in RAM they will be forgotten when the browser quits (i.e., at the end of the session) Method 3: forms with hidden fields We usually pull webpages in from a server Forms are for pushing data to the server To use forms we need to use CGI protocol CGI = common gateway interface An application layer protocol that allows client to send data to the server Two form Methods method= get Data is part of URL Only used for simple requests (e.g. search engine queries) Conceptually: a query of a database method= post Data is not part of URL Can be used for file upload Conceptually: an alteration to a database See form examples online 4

Saving State With forms Hidden post & simple get Did you see the hidden field? Did you see the hidden data? That s one way of saving state: Placing the data in a form so that every time the form is submitted (sent to the server) the data is sent too Examples using CGI program to generate a form Loan.cgi & multi-page.cgi Essence of State Saving Using forms There must be an uninterrupted sequence of request/responses pairs from the browser to a CGI program (or programs) The state must be represented in the form, and recognized by the CGI program(s) The CGI program(s) must encode the state in the form Essence of State Saving Using forms This diagram is for a single CGI program and a single form, but the same thing could be done with multiple programs & forms 5

Method 4: Servlets & URL Rewriting Recall that method= get forms pass their data in the URL These URLS are designed to be cached You don t need a browser that can understand forms to use them You can just type them in like any other web address URL Rewriting Explained So why not put the state information from method= get forms in the href of every anchor Instead of <a href="foo.html" >click here</a> do <a href="foo.html?session= " >click here</a> Servlets (1 of 2) Many users dislike long URLs they are hard to mail to friends & look ugly Some browser software don t support cookies and many users have such support disabled Wouldn t it be great if your server would use cookies when the client supported them, and URL rewriting when it didn t? 6

Servlets (2 of 2) Servlets (and other server-side software) do that! Servlets are server-side programs often written in Java, but servlet is the generic name Other server-side technologies work the same way but are implemented in other languages See also Servlets lecture What Data Do We Pass? But isn t that a lot of state information to send back and forth? Not really, because we don t have to pass all of the data back and forth We can pass a user or session ID and the server will maintain a database keyed by those IDs Resources Cookie resources at course website HTTP: The Definitive Guide in the e-book collection Cookie examples at course website SessionTrack servlet example at course website Note that servlets are not always running at FCS 7

Bibliography 1. CS3172 Resource List 2. Web Protocols and Practice Balachander Krishnamurthy & Jennifer Rexford Addison-Wesley May 2001 2001 by AT&T Corp. (ISBN 0-201-71088-9) 3. HTTP: The Definitive Guide David Gourley & Brian Totty, with others O'Reilly & Assoc. Sept. 2001 (ISBN 1-56592-509-2) 4. The New Hacker s Dictionary Eric S. Raymond (editor) Online version used at <URL:http://www.logophilia.com/jargon/jargon_28.html#TAG1093> 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback