Persistence Maintaining state: Queries. State is the Problem What is state? facebook status logins (which user are you?) conversations talking about what?

Slides:



Advertisements
Similar presentations
CS 4720 RESTfulness CS 4720 – Web & Mobile Systems.
Advertisements

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Cookies The HTTP protocol is stateless, that is, it does not maintain information on states after the session ends. But sometimes it is useful to remember.
Cookies Purpose –Write information that lives after the browser exits –Keep track of form data submitted multiple times during a particular visit –Track.
Unit 12 Using the Internet & Browsing the Web.  Understand the difference between the Internet and the World Wide Web  Identify items on a web page.
Servlets and a little bit of Web Services Russell Beale.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Session Management A290/A590, Fall /25/2014.
Chapter 10 Maintaining State Information Using Cookies.
Objectives Learn about state information
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
Java Omar Rana University of South Asia. Course Overview JAVA  C/C++ and JAVA Comparison  OOP in JAVA  Exception Handling  Streams  Graphics User.
Cookies and Security Saving the “state”
JavaScript, Fourth Edition
Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
CS453: State in Web Applications (Part 1) State in General Sessions (esp. in PHP) Prof. Tom Horton.
USING PERL FOR CGI PROGRAMMING
Lecture 21 Common Gateway Interface CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.
Chapter 8 Cookies And Security JavaScript, Third Edition.
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Web Application Security Presented by Ben Lake. How the Web Works Hypertext Transfer Protocol (HTTP)  Application-level  Stateless Example  Web Browser.
Session Tracking - 2 Lec 32. Last Lecture Review  Session Tracking – why?  Need to store state – typical solutions Cookies – already learned URL Rewriting.
Web Application Development * These slides have been adapted and modified from CoreServlets course material (Marty Hall) and LUMS cs391 (Umair Javed).
Cookies Web Browser and Server use HTTP protocol to communicate and HTTP is a stateless protocol. But for a commercial website it is required to maintain.
1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
Cookies & Session Web Technology
Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:
STATE MANAGEMENT.  Web Applications are based on stateless HTTP protocol which does not retain any information about user requests  The concept of state.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Web Database Programming Week 7 Session Management & Authentication.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
Maintaining Application State MIS3502: Application Integration and Evaluation Paul Weinberg Presentation by David Schuff.
Netprog 2002 CGI Programming1 CGI Programming CLIENT HTTP SERVER CGI Program http request http response setenv(), dup(), fork(), exec(),...
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.
Session Tracking Lec 31. Revisiting Session Tracking HTTP is a stateless protocol  Every request is considered independent of every other request Many.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Operating Systems Lesson 12. HTTP vs HTML HTML: hypertext markup language ◦ Definitions of tags that are added to Web documents to control their appearance.
Persistence Maintaining state using cookies and queries.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
©SoftMooreSlide 1 Session Tracking with Servlets.
October 7 th, 2010 SDU Webship. What did we learn last week? jQuery makes it really easy to select elements and do stuff with them. jQuery can process.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
Project 5: Customizing User Content Essentials for Design JavaScript Level Two Michael Brooks.
8-Mar-16 More About Servlets Session Tracking. Persistent information A server site typically needs to maintain two kinds of persistent (remembered) information:
Cookies and Sessions in PHP. Arguments for the setcookie() Function There are several arguments you can use i.e. setcookie(‘name’, ‘value’, expiration,
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering
WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
111 State Management Beginning ASP.NET in C# and VB Chapter 4 Pages
Programming for the Web Cookies & Sessions Dónal Mulligan BSc MA
Cookies Tutorial Cavisson Systems Inc..
JavaScript, Sixth Edition
WWW and HTTP King Fahd University of Petroleum & Minerals
Client / Session Identification Cookies
Cookies and Sessions in PHP
Client / Session Identification Cookies
Web Systems Development (CSC-215)
Session Hijacking Tarun Lall.
Session Tracking Techniques
Building ASP.NET Applications
Presentation transcript:

Persistence Maintaining state: Queries

State is the Problem What is state? facebook status logins (which user are you?) conversations talking about what? talking to whom?

HTTP Protocol stateless protocol by design! (why TCP?) The server does not know what you did What website you were on What you just did on the website Who you are page to page Each page is independent of the other!

Why do you care? Maintain items in a shopping cart Website User Accounts Web Apps using more than ONE page Allow bookmarks of query results Polling, Statistics, Advertising

Security Queries are not secure Cookies are not secure Easily accessible and editable TEXT! Cookies can be set secure - browser will only sent over HTTPS NOT that safe

Solution ONLY store session IDs or account name This means the cookie is a token SSL secure the connection: Session IDs can't be ripped off the net *Client man-in-the-middle attacks *Expire sessions + make new ones

URL Query Old school way to maintain state Old school way to maintain state

Query strings URL(Uniform Resource Locator) / URI Delineator characters: ? & = location ( query=”what is a cookie?” 20a%20cookie?

The right side of ? window.location.search= "?" cpu uses to find query in URL "name" parameter's name "=" cpu uses to split name from value "value" parameter's value " &" cpu uses to separate parameters

Automatic Queries onSubmit browser MAKES QUERY Before cookies: Servers put state info into ALL URLs tag's hrefs, everything!

demo

DOM's location Object -hacked- javascript APIs can break rules location looks like a string location= " website"; location.search = ? + right side of URL play with it in the Console (firebug)

Javascript String Object String objects have methods!!! substring(), substr() split() is extremely useful!.length = # of how long string is location.search.substr(start, length); location.split('?') -> array

DOM's encoders URL/URI have strict format rules space = %20, most stuff must be %hex encodeURI() / decodeURI() doesn't encode :// and some others encodeURIComponent() / decode…() encodes any possible troublemakers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.