internet and intranet protocols and applications lecture 13: web beyond http 4/25/2000 arthur p....
TRANSCRIPT
Internet and Intranet Protocols and Applications
Lecture 13: Web Beyond HTTP
4/25/2000Arthur P. Goldberg
Computer Science Department
New York University
Web Beyond HTTP
• HTTP offers limited request/responsesemantics– Unrelated requests– non-secure communications
Some critical extensions for client/server applications
• Security– encryption/authentication
• SSL
• Sessions– Cookies
• programming environments built on them
Secure Communications Goal
Client-----Hostile Network------Server || Client-Server In room by themselves
Client-----Hostile Network------Server ||
Client-Server In room by themselves• Cryptographic protocols provide• Authenticate
– Reliably identify each other
• Encryption– Messages cannot be read, modified, or created by
hostile intermediaries
HTTPS
HTTPS
SSL
TCP
Key SSL CallsSocket = connect( … ); /* TCP */SSL_struct = SSL_new(); /* create an SSL structure */SSL_set_fd( SSL_struct, Socket ); /* bind to a socket*/SSL_connect( SSL_struct );ret_code = SSL_write( SSL_struct, buffer, num_bytes); o o oret_code = SSL_read( SSL_struct,
buffer_pointer, num_bytes);
Client Browser Web Server
Establish a New SSL Connection
Hello
Hello, Certificate
Key exchange, Change Cipher Spec
Change Cipher Spec
SSL connect,Creating new Session Key
TCPConnect
Client Browser Web Server
SYN
ACK/SYN
Client Hello
TCPConnect
Server Hello,Change Cipher Spec
Finished
SSL connect,Reusing Cached
Session Key
Reestablish an SSL Connection
HTTP state management mechanism - “cookies”
• A ‘cookie’: A session identifier
• rfc2109 2/97 Kristol & Montulli
Cookie Headers
• Set-Cookie– Server to client
• Cookie– Client to server
Set-cookie response header
• Name=value;• [Domain=value;]
– the domain for which the cookie is valid (Defaults to the request-host)
• [path=value;]– the subset of URLs to which the cookie applies
• [max-age=value]– the lifetime of the cookie, in seconds
Caching
• To suppress caching of the Set-Cookie header in HTTP 1.1– Cache-control: no-cache="set-cookie"
Cookie request header
• Cookie:– NAME = VALUE [";" path] [";" domain]– Multiple name=value pairs
Cookie selection
• Rules for choosing cookie-values from all the browser’s cookies
• Domain Selection– The origin server's fully-qualified host name must
domain-match the Domain attribute of the cookie.
• Path Selection– The Path attribute of the cookie must match a prefix of
the request-URI.
• Max-Age Selection– Cookies that have expired should have been discarded
Server cookie use
• unique ID for session/argument to lookups
• key into user database
Web Server Programming Environments
• Single RequestCGI/fast-CGIAPIs
Netscape (NSAPI)Microsoft (ISAPI)
TemplatesWebpage=programdatabase interfacefull language
Servlets• Multiple Request
Process, with control flow
HTML with embedded commands
• eg.OracleAllaire cold fusion
Specialized tags get interpreted by programs/OB queries
• Template <HTML> < If_* >filled in by output of program
<HTML>
• may be compiled
Example: Cold Fusion
• Web page/file is a cold fusion module, or CFM
• Accessing the page– Loads the cold fusion interpreter which– ‘exceutes’ the page and– Returns HTML
CFM
• TAGS– HTML– CF
• CF concepts– Variables– Control flow– SQL– Tables
CF Example
• download data to a spreadsheet<cfcontent type="application/msexcel">
<cfquery name="test" datasource="lims" dbtype="ODBC">
Select first_name, last_name from people </cfquery>
<table>
<tr><td>First name</td><td>Last Name</td></tr>
<cfoutput query="test">
<tr><td>#first_name#</td><td>#last_name#</td></tr>
</cfoutput>
<table>
CF Example
<CFIF IsDefined("url.querySaveOpen")>
<CFIF url.QuerySaveOpen IS APPL.SAVEQUERY>
<cflocation url="savequery.cfm">
<CFELSEIF url.QuerySaveOpen IS APPL.OPENQUERY>
<cflocation url="openquery.cfm">
</CFIF>
</CFIF>
Server Programming
• Session– Variety of techniques
• Custom JAVA ‘Process’ – Interworld
• ‘Dynamo’ - Art Technology Group
Connection: close
HTTPS Connection Psuedo code
if ( HTTPS) Default_port=443;
else Default_port=80;
if ( !port) port=Default_port;
s=TCP_connect (host, port);if ( HTTPS) SSL_handle = SSL_connect(s);
/* write */
if (HTTPS)
rc=SSL_write (SSL_handle,
buf, n);
elserc=write ( s, buf, n);
/* read */
if (HTTPS)
rc=SSL_read(SSL_handle,
buf, n);
else
rc= read( s, buf, n);