Internet and Intranet Protocols and Applications Lecture 13: Web Beyond HTTP 4/25/2000 Arthur P. Goldberg Computer Science Department New York University
Web Beyond HTTP HTTP offers limited request/response semantics –Unrelated requests –non-secure communications
Some critical extensions for client/server applications Security –encryption/authentication SSL Sessions –Cookies programming environments built on them
Secure Communications Goal Client-----Hostile Network------Server || Client-Server In room by themselves Client-----Hostile Network------Server || Client-Server In room by themselves Cryptographic protocols provide Authenticate –Reliably identify each other Encryption –Messages cannot be read, modified, or created by hostile intermediaries
HTTPS SSL TCP
Key SSL Calls Socket = connect( … ); /* TCP */ SSL_struct = SSL_new(); /* create an SSL structure */ SSL_set_fd( SSL_struct, Socket ); /* bind to a socket*/ SSL_connect( SSL_struct ); ret_code = SSL_write( SSL_struct, buffer, num_bytes); o o o ret_code = SSL_read( SSL_struct, buffer_pointer, num_bytes);
Client BrowserWeb Server Establish a New SSL Connection Hello Hello, Certificate Key exchange, Change Cipher Spec Change Cipher Spec SSL connect, Creating new Session Key TCP Connect
Client BrowserWeb Server SYN ACK/SYN Client Hello TCP Connect Server Hello, Change Cipher Spec Finished SSL connect, Reusing Cached Session Key Reestablish an SSL Connection
HTTP state management mechanism - “cookies” A ‘cookie’: A session identifier rfc2109 2/97 Kristol & Montulli
Cookie Headers Set-Cookie –Server to client Cookie –Client to server
Set-cookie response header Name=value; [Domain=value;] –the domain for which the cookie is valid (Defaults to the request-host) [path=value;] –the subset of URLs to which the cookie applies [max-age=value] –the lifetime of the cookie, in seconds
Caching To suppress caching of the Set-Cookie header in HTTP 1.1 –Cache-control: no-cache="set- cookie"
Cookie request header Cookie: –NAME = VALUE [";" path] [";" domain] –Multiple name=value pairs
Cookie selection Rules for choosing cookie-values from all the browser’s cookies Domain Selection –The origin server's fully-qualified host name must domain-match the Domain attribute of the cookie. Path Selection –The Path attribute of the cookie must match a prefix of the request-URI. Max-Age Selection –Cookies that have expired should have been discarded
Server cookie use unique ID for session/argument to lookups key into user database
Web Server Programming Environments Single Request CGI/fast-CGI APIs Netscape (NSAPI) Microsoft (ISAPI) Templates Webpage=program database interface full language Servlets Multiple Request Process, with control flow
HTML with embedded commands eg. Oracle Allairecold fusion
Specialized tags get interpreted by programs/OB queries Template filled in by output of program may be compiled
Example: Cold Fusion Web page/file is a cold fusion module, or CFM Accessing the page –Loads the cold fusion interpreter which –‘exceutes’ the page and –Returns HTML
CFM TAGS –HTML –CF CF concepts –Variables –Control flow –SQL –Tables
CF Example download data to a spreadsheet Select first_name, last_name from people First name Last Name #first_name# #last_name#
CF Example
Server Programming Session –Variety of techniques Custom JAVA ‘Process’ – Interworld ‘Dynamo’ - Art Technology Group
Connection: close
HTTPS Connection Psuedo code if (HTTPS) Default_port=443; else Default_port=80; if ( !port) port=Default_port; s=TCP_connect (host, port); if ( HTTPS) SSL_handle = SSL_connect(s);
/* write */ if (HTTPS) rc=SSL_write (SSL_handle, buf, n); else rc=write (s, buf, n);
/* read */ if (HTTPS) rc=SSL_read(SSL_handle, buf, n); else rc= read(s, buf, n);