Download CGI Programming: Part 2 Robert M. Dondero, Ph.D. Princeton University 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Certificate authority wikipedia , lookup

HTTPS wikipedia , lookup

Transcript 
CGI Programming: Part 2
Robert M. Dondero, Ph.D.
Princeton University
1
Objectives

You will learn about:

Stateful CGI programming


Via URL rewriting, hidden form fields, cookies
In Python and Java
2
The Need for State

Problem:



CGI is a stateless protocol
Neither browser nor web server remembers
previous interactions
CGI program exits; so it can't remember either!
3
Examples of the Need for State

Personalization


Session management


Remember user preferences
Manage "shopping cart"
In Pennypack application:

Want "previous search" field in searchform page

Demo of PennypackPython3
4
Example of the Need for State
Browser
…
<form action=
"searchresults.cgi"
method="get">
…
Prev search: (None)
Browser
…
Click here to do
another author search
User enters "Ker"
Web Server
searchresults.cgi
Web Server
<a href="searchform.cgi">
Web Server
Browser
…
<form action=
"searchresults.cgi"
method="get">
…
Prev search: ???
searchform.cgi
Web Server
Doesn't know
previous author
5
State via URL Rewriting

Solution 1: URL rewriting

Append state data to end of URL
6
State via URL Rewriting Example
Browser
…
<form action=
"searchresults.cgi"
method="get">
…
Prev search: (None)
Browser
…
Click here to do
another author search
<a href="searchform.cgi?
prevAuthor=Ker">
Browser
…
<form action=
"searchresults.cgi"
method="get">
…
Prev search: Ker
User enters "Ker"
Web Server
searchresults.cgi
Web Server
Performs URL
rewriting
Web Server
searchform.cgi
Web Server
Does know
previous author
7
State via Hidden Form Fields

Solution 2: Hidden form fields

Place state data into form

"input" tag of type "hidden"

Browser does not display
8
State via Form Fields Example
Browser
…
<form action="searchresults.cgi" method="get">
...
…
Prev search: (None)
User enters "Ker"
Web Server
searchresults.cgi
Browser
…
Click here to do another author search
<form action="searchform.cgi" method="get">
<input type="hidden" name="prevAuthor" value="Ker">
<input type="submit">...
Web Server
Web Server
searchform.cgi
Browser
…
<form action="searchresults.cgi" method="get">
...
…
Prev search: Ker
Generates
hidden form
field
Web Server
Does know
previous author
9
State via Cookies

Solution 3: Cookies

Web server:


Places state in a cookie

Passes cookie to browser as header
And then...
10
State via Cookies

Browser:

Retains cookie in memory or client file system



Until specified cookie expiry date
Until human user explicitly deletes it
Passes cookie to web server as header

But only to same domain (and path) that sent it
originally
11
Cookie Attributes

Cookie attributes:

Name

Content

Host



The domain to which the browser should send
the cookie
Default is the domain of the page that set the
cookie
Can specify a subdomain of origin, but not a
completely different domain
12
Cookie Attributes

Cookie attributes (cont):

Path



The directory where the cookie is active
Default is the directory of page that created
cookie
Expiry date

Default is this browser session
13
State via Cookies Example
Browser
…
<form action="searchresults.cgi" method="get">
...
…
Prev search: (None)
User enters "Ker"
GET searchresults.cgi?author=Ker HTTP/1.1
Host: www.cs.princeton.edu
<blank line>
Web Server
QUERY_STRING: author=Ker
searchresults.cgi
Set-Cookie: prevAuthor=Ker
Content-type: Text/html
<blank line>
<HTML page>
14
State via Cookies Example
Web Server
Browser
…
Click here to do another author search
<a href="searchform.cgi">
HTTP/1.1 200 OK
Date: date
Server: www.cs.princeton.edu
Set-Cookie: prevAuthor=Ker
…
Content-Type: Text/html
<Blank line>
<HTML page>
Browser retains
cookie
GET searchform.cgi HTTP/1.1
Host: www.cs.princeton.edu
Cookie: prevAuthor=Ker
<blank line>
Web Server
HTTP_COOKIE: prevAuthor=Ker
15
State via Cookies Example
searchform.cgi
Knows previous author via HTTP_COOKIE env var
Content-type: Text/html
<blank line>
<HTML page containing Ker>
Web Server
HTTP/1.1 200 OK
Date: date
Server: www.cs.princeton.edu
…
Content-Type: Text/html
<Blank line>
<HTML page containing Ker>
Browser
…
<form action="searchresults.cgi" method="get">
…...
Prev search: Ker
16
PennypackPython3 Application

See PennypackPython3 application

book.py (same)

database.py (same)

common.py (same)

index.html (same)
17
PennypackPython3 Application

searchform.cgi (same)

searchform.py (different)


searchresults.cgi (same)

searchresults.py (different)


Uses prevAuthor cookie passed by browser
Asks browser to store prevAuthor cookie
Try viewing cookies in Firefox:

Tools → Page Info → Security → View Cookies
18
PennypackJava3 Application

See PennypackJava3 application

Book.java (same)

Database.java (same)

Common.java (same)

index.html (same)
19
PennypackJava3 Application

searchform.cgi (same)

SearchForm.java (different)

Uses prevAuthor cookie passed by browser

searchresults.cgi (same)

SearchResults.java (different)


Asks browser to store prevAuthor cookie
Cgi.java (different)


See cookie-handling code
Primitive: Handles only name and content
attributes
20
PennypackJava3 Application

Try viewing cookies in Firefox:

Tools → Page Info → Security → View Cookies
21
Cookie Issue: Size

Problem:


Cookie size is limited to 4K
Solution


Cookie content stored on server-side (in database),
indexed by a unique key
Cookie contains key only
22
Cookie Issue: Disabled Cookies

Problem:


User may disable browser cookies
Solution:

Ask the user to enable them! Or...

Add more logic

Fall back to URL rewriting or hidden form fields if
necessary
23
rd
Cookie Issue: 3 Party Cookies

Problem:

Third-party cookies can invade privacy

(See http://www.google.com/doubleclick/)
24
rd
Cookie Issue: 3 Party Cookies
Browser
AdConsultant contracts with
Company1 & Company2
Company1.com
Page which includes (hidden)
image from AdConsultant.com
User visited Company1
Browser
AdConsultant.com
Image
Set AdConsultant cookie: User visited Company1
AdConsultant
knows that user
visited Company1
25
rd
Cookie Issue: 3 Party Cookies
Company2.com
Page which includes (hidden)
image from AdConsultant.com
User visited Company2
AdConsultant cookie: User visited Company1
Browser
AdConsultant.com
Image
Set AdConsultant cookie: User visited Company2
AdConsultant
knows that user
visited Company1
and Company2
AdConsultant provides user profile to Company1 & Company2
26
rd
Cookie Issue: 3 Party Cookies

Solution:

Some browsers allow refusal of third-party cookies

In Firefox:


Edit → Preferences → Privacy → "Firefox will" →
"Use custom settings for history"
Then uncheck "Accept third-party cookies"
27
Summary

We have covered:

Stateful CGI programming


Via URL rewriting, hidden form fields, cookies
In Python and Java
28
Related documents
Disclaimer/Cookies
Disclaimer/Cookies
SSEMI2: Law of Demand, Law of Supply
SSEMI2: Law of Demand, Law of Supply
Cookie Sheet Activities Volume 5 Sorting Digraphs and Blends
Cookie Sheet Activities Volume 5 Sorting Digraphs and Blends
Online Security - Nassau Financial
Online Security - Nassau Financial
Tim Berners-Lee
Tim Berners-Lee
Ethical issues
Ethical issues
Web Application Data
Web Application Data
Introduction to Web Architecture
Introduction to Web Architecture
Lecture 22
Lecture 22
Web Application Security
Web Application Security