Internet and Intranet Protocols and Applications

Lecture 13: Web Beyond HTTP

4/25/2000Arthur P. Goldberg

Computer Science Department

New York University

artg@cs.nyu.edu

Web Beyond HTTP

• HTTP offers limited request/responsesemantics– Unrelated requests– non-secure communications

Some critical extensions for client/server applications

• Security– encryption/authentication

• SSL

• Sessions– Cookies

• programming environments built on them

Secure Communications Goal

Client-----Hostile Network------Server || Client-Server In room by themselves

Client-----Hostile Network------Server ||

Client-Server In room by themselves• Cryptographic protocols provide• Authenticate

– Reliably identify each other

• Encryption– Messages cannot be read, modified, or created by

hostile intermediaries

HTTPS

HTTPS

SSL

TCP

Key SSL CallsSocket = connect( … ); /* TCP */SSL_struct = SSL_new(); /* create an SSL structure */SSL_set_fd( SSL_struct, Socket ); /* bind to a socket*/SSL_connect( SSL_struct );ret_code = SSL_write( SSL_struct, buffer, num_bytes); o o oret_code = SSL_read( SSL_struct,

buffer_pointer, num_bytes);

Client Browser Web Server

Establish a New SSL Connection

Hello

Hello, Certificate

Key exchange, Change Cipher Spec

Change Cipher Spec

SSL connect,Creating new Session Key

TCPConnect

Client Browser Web Server

SYN

ACK/SYN

Client Hello

TCPConnect

Server Hello,Change Cipher Spec

Finished

SSL connect,Reusing Cached

Session Key

Reestablish an SSL Connection

HTTP state management mechanism - “cookies”

• A ‘cookie’: A session identifier

• rfc2109 2/97 Kristol & Montulli

Cookie Headers

• Set-Cookie– Server to client

• Cookie– Client to server

Set-cookie response header

• Name=value;• [Domain=value;]

– the domain for which the cookie is valid (Defaults to the request-host)

• [path=value;]– the subset of URLs to which the cookie applies

• [max-age=value]– the lifetime of the cookie, in seconds

Caching

• To suppress caching of the Set-Cookie header in HTTP 1.1– Cache-control: no-cache="set-cookie"

Cookie request header

• Cookie:– NAME = VALUE [";" path] [";" domain]– Multiple name=value pairs

Cookie selection

• Rules for choosing cookie-values from all the browser’s cookies

• Domain Selection– The origin server's fully-qualified host name must

domain-match the Domain attribute of the cookie.

• Path Selection– The Path attribute of the cookie must match a prefix of

the request-URI.

• Max-Age Selection– Cookies that have expired should have been discarded

Server cookie use

• unique ID for session/argument to lookups

• key into user database

Web Server Programming Environments

• Single RequestCGI/fast-CGIAPIs

Netscape (NSAPI)Microsoft (ISAPI)

TemplatesWebpage=programdatabase interfacefull language

Servlets• Multiple Request

Process, with control flow

HTML with embedded commands

• eg.OracleAllaire cold fusion

Specialized tags get interpreted by programs/OB queries

• Template <HTML> < If_* >filled in by output of program

<HTML>

• may be compiled

Example: Cold Fusion

• Web page/file is a cold fusion module, or CFM

• Accessing the page– Loads the cold fusion interpreter which– ‘exceutes’ the page and– Returns HTML

CFM

• TAGS– HTML– CF

• CF concepts– Variables– Control flow– SQL– Tables

CF Example

• download data to a spreadsheet<cfcontent type="application/msexcel">

<cfquery name="test" datasource="lims" dbtype="ODBC">

Select first_name, last_name from people </cfquery>

<table>

<tr><td>First name</td><td>Last Name</td></tr>

<cfoutput query="test">

<tr><td>#first_name#</td><td>#last_name#</td></tr>

</cfoutput>

<table>

CF Example

<CFIF IsDefined("url.querySaveOpen")>

<CFIF url.QuerySaveOpen IS APPL.SAVEQUERY>

<cflocation url="savequery.cfm">

<CFELSEIF url.QuerySaveOpen IS APPL.OPENQUERY>

<cflocation url="openquery.cfm">

</CFIF>

</CFIF>

Server Programming

• Session– Variety of techniques

• Custom JAVA ‘Process’ – Interworld

• ‘Dynamo’ - Art Technology Group

Connection: close

HTTPS Connection Psuedo code

if ( HTTPS) Default_port=443;

else Default_port=80;

if ( !port) port=Default_port;

s=TCP_connect (host, port);if ( HTTPS) SSL_handle = SSL_connect(s); 

/* write */

if (HTTPS)

rc=SSL_write (SSL_handle,

buf, n);

elserc=write ( s, buf, n);

/* read */

if (HTTPS)

rc=SSL_read(SSL_handle,

buf, n);

else

rc= read( s, buf, n);