Internet and Intranet Protocols and Applications Lecture 13: Web Beyond HTTP 4/25/2000 Arthur P. Goldberg Computer Science Department New York University

Web Beyond HTTP HTTP offers limited request/response semantics –Unrelated requests –non-secure communications

Some critical extensions for client/server applications Security –encryption/authentication SSL Sessions –Cookies programming environments built on them

Secure Communications Goal Client-----Hostile Network------Server || Client-Server In room by themselves Client-----Hostile Network------Server || Client-Server In room by themselves Cryptographic protocols provide Authenticate –Reliably identify each other Encryption –Messages cannot be read, modified, or created by hostile intermediaries

HTTPS SSL TCP

Key SSL Calls Socket = connect( … ); /* TCP */ SSL_struct = SSL_new(); /* create an SSL structure */ SSL_set_fd( SSL_struct, Socket ); /* bind to a socket*/ SSL_connect( SSL_struct ); ret_code = SSL_write( SSL_struct, buffer, num_bytes); o o o ret_code = SSL_read( SSL_struct, buffer_pointer, num_bytes);

Client BrowserWeb Server Establish a New SSL Connection Hello Hello, Certificate Key exchange, Change Cipher Spec Change Cipher Spec SSL connect, Creating new Session Key TCP Connect

Client BrowserWeb Server SYN ACK/SYN Client Hello TCP Connect Server Hello, Change Cipher Spec Finished SSL connect, Reusing Cached Session Key Reestablish an SSL Connection

HTTP state management mechanism - “cookies” A ‘cookie’: A session identifier rfc2109 2/97 Kristol & Montulli

Cookie Headers Set-Cookie –Server to client Cookie –Client to server

Set-cookie response header Name=value; [Domain=value;] –the domain for which the cookie is valid (Defaults to the request-host) [path=value;] –the subset of URLs to which the cookie applies [max-age=value] –the lifetime of the cookie, in seconds

Caching To suppress caching of the Set-Cookie header in HTTP 1.1 –Cache-control: no-cache="set- cookie"

Cookie request header Cookie: –NAME = VALUE [";" path] [";" domain] –Multiple name=value pairs

Cookie selection Rules for choosing cookie-values from all the browser’s cookies Domain Selection –The origin server's fully-qualified host name must domain-match the Domain attribute of the cookie. Path Selection –The Path attribute of the cookie must match a prefix of the request-URI. Max-Age Selection –Cookies that have expired should have been discarded

Server cookie use unique ID for session/argument to lookups key into user database

Web Server Programming Environments Single Request CGI/fast-CGI APIs Netscape (NSAPI) Microsoft (ISAPI) Templates Webpage=program database interface full language Servlets Multiple Request Process, with control flow

HTML with embedded commands eg. Oracle Allairecold fusion

Specialized tags get interpreted by programs/OB queries Template filled in by output of program may be compiled

Example: Cold Fusion Web page/file is a cold fusion module, or CFM Accessing the page –Loads the cold fusion interpreter which –‘exceutes’ the page and –Returns HTML

CFM TAGS –HTML –CF CF concepts –Variables –Control flow –SQL –Tables

CF Example download data to a spreadsheet Select first_name, last_name from people First name Last Name #first_name# #last_name#

CF Example

Server Programming Session –Variety of techniques Custom JAVA ‘Process’ – Interworld ‘Dynamo’ - Art Technology Group

Connection: close

HTTPS Connection Psuedo code if (HTTPS) Default_port=443; else Default_port=80; if ( !port) port=Default_port; s=TCP_connect (host, port); if ( HTTPS) SSL_handle = SSL_connect(s);

/* write */ if (HTTPS) rc=SSL_write (SSL_handle, buf, n); else rc=write (s, buf, n);

/* read */ if (HTTPS) rc=SSL_read(SSL_handle, buf, n); else rc= read(s, buf, n);