MIS 324 -- Professor Sandvig MIS 324 Professor Sandvig 11/22/2018 Maintaining State MIS 324 Professor Sandvig

MIS 324 -- Professor Sandvig 11/22/2018 Maintaining State Client-Server Model Tools: Cookies Session Security

Client-Server Model Communication is intermittent Server needs to know “state” of each client Logged in UserID Items in cart Etc. Solution: cookies

MIS 324 -- Professor Sandvig 11/22/2018 Cookies Created by server (us) Stored on user’s computer Included with each subsequent request

Cookies Persist between sessions

MIS 324 -- Professor Sandvig 11/22/2018 Cookies Write: Single value per cookie: Response.Cookies[“Name”].Value = “Bart”; Multiple values per cookie Response.Cookies[“Name”][“First”] = “Bart”; Response.Cookies[“Name”][“Last”] = “Simpson”; Read Request.Cookies[“Name”].Value; Request.Cookies[“Name”][“First”].Value;

MIS 324 -- Professor Sandvig 11/22/2018 Cookies Expiration: Default: when browser is closed Response.Cookies[“CookieName”].Expires = DateTime.Now.AddDays(180); Delete Cookie: set expiration to past (-1)

MIS 324 -- Professor Sandvig 11/22/2018 Cookies Testing for cookie Attempt to read a cookie that is not present: Error: Object reference not set to an instance of an object Solution: If (Request.Cookies[“Name”] != null) { //safe to read cookie name = Request.Cookies[“Name”] .Value; }

Cookies Amazon.com

Cookies User can block Chrome Can’t do much…

Cookies Gmail

MIS 324 -- Professor Sandvig 11/22/2018 Cookies Benefits: Persist between sessions Keep track of usernames, last visit, etc. Easy to use Drawbacks: Client can block Not secure Example: output (see handout for source)

MIS 324 -- Professor Sandvig 11/22/2018 2. Sessions Data stored on server Server create unique session ID for each user Session data stored in server memory Create: Session[“LastName”] = “Simpson”; Delete Session.Abandon; – Deletes the session Session.Remove[“LastName”]; – removes items

Sessions Uses cookie to pass SessionID with each request User must have cookies enabled Class example view with Chrome developer tools:

MIS 324 -- Professor Sandvig 11/22/2018 Sessions Expiration Default: 20 minutes Session.Timeout = 60; Benefits Secure Client cannot view, edit, delete Automatic timeout Drawbacks Do not persist Require cookies Use server resources

Security Session hijacking Thief steals sessionID Session Hijacking Cookie Hijacking Thief steals sessionID Impersonates user Session Hijacking

Security Solution SSL Browser IDs server Encrypts all data

Security Require SSL for project - easy Add to Global.asax GlobalFilters.Filters.Add(new RequireHttpsAttribute()); Not in MIS 324 Too many issues with Visual Studio in labs

MIS 324 -- Professor Sandvig 11/22/2018 Summary Two options for maintaining state: Cookies Text stored by browser Passed with each request Persists between sessions Sessions Data stored in server memory Secure Auto timeout Depends upon cookies for SessionID