Download presentation
Presentation is loading. Please wait.
1
Client State Management & Application Security Client State Management Concept ASP Examples Application Security Database Based Approach A Multi-level Security Example
2
Client State Management & Application Security Each request from a browser is regarded as an new request Web servers have no memory of the state of each browser (client) Stateless problems: No concept of client identities Cannot track client’s identities Stateless is not acceptable for web applications that requires client identities Stateless Characteristics of Web
3
Client State Management & Application Security Persistence Levels of Client States
4
Client State Management & Application Security A client session starts when the first web page is requested by a browser (client) A client session ends when the client is inactive beyond specified time out period A client session is specific to each client Client session variables Used to store information shared by all pages of a specific client Undefined after time out Can be introduced as needed Each client session is identified by a unique session ID Client Session Definition
5
Client State Management & Application Security An application is a collection of dynamic web pages stored in a directory tree An application session starts when the first page of the application is requested by any client An application session ends after time out or web server is shut down Application variables Store information shared by all clients Can be defined as needed Application Definition
6
Client State Management & Application Security Defined by a special page named as global.asa Provides two events application_onStart -- occurs when the application is visited first time by a client application_onEnd -- occurs when the application is shut down ASP Application Sessions
7
Client State Management & Application Security More than one client may modify an application variable concurrently To allow only one client to change the application variable, locks can be used application.Lock application(“accountID”) = “123-876” application(“clientName”) = “John Smith”> application.unlock Application Variable Changes
8
Client State Management & Application Security Global.asa can contains two additional events: Session_onStart -- when a session starts Session_onEnd -- when a session is timed out Session object properties session.sessionID session.timeout seesion.codePage session.LCID Session object methods: sessesion.abandon - stops a session ASP Session Variables
9
Client State Management & Application Security Client sessions rely on cookies to work properly When cookies are disabled, client sessions are lost Web applications must Detect whether cookies are set correctly If cookies are not set correctly, should either stop the process and request the user to accept the cookies If cookies are not acceptable solution, web applications must manage their own client sessions Database can be used to store persistent client information Pros and Cons
10
Client State Management & Application Security Requires no cookies Use a database to Keep user ID and password Maintain a client session log table to track each page access by each client At the first access User enters assigned ID and password System validate the ID and password If no match, asks the user to log in again If matches, create a client session log entry to include: A system generated session key User ID A Client State Management Example
11
Client State Management & Application Security Access time Pass the session key to the initial page Subsequence visits: Obtain the session key Query the session log table to see if any entry matches the session key If not found, request the user to log in first If found, update the log table on the last access time Pass the session key to the page The Example (Continued)
12
Client State Management & Application Security Client State Management Processes
13
Client State Management & Application Security A Multiple-Level Security Example Different users have different access authorization Need a centralized client session and security management
14
Client State Management & Application Security An Solution Need an administration page for each type of users Create a capability table to define the pages each user is allowed to access Validate user’s log in and determine the user’s capability Dynamically create the administration page based on the capability to include only links to pages the user is allowed to access
15
Client State Management & Application Security The Security Database Model
16
Client State Management & Application Security Summary Client state management is an important task Persistence of client state information is different from the type of client sessions Client state management provided by application servers usually relies on cookies Cookies-less approach should be used if cookies are not acceptable
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.