Scribd Logo
Upload

Welcome to Scribd!

  • 20 views

    Week 9 - T

    Uploaded by

    Jorge Sousa
    This document discusses application state and session management in web applications. It explains that HTTP is stateless and browsers cannot save files, so state must be stored on the server. Cookies allow storing small amounts of data on the client side and sending it to the server, but have limitations. Sessions provide a secure way to store user information on the server between requests using a session ID cookie.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Week 9 - T

    Uploaded by

    Jorge Sousa
    20 views14 pages
    This document discusses application state and session management in web applications. It explains that HTTP is stateless and browsers cannot save files, so state must be stored on the server. Cookies allow storing small amounts of data on the client side and sending it to the server, but have limitations. Sessions provide a secure way to store user information on the server between requests using a session ID cookie.

    Original Description:

    Original Title

    Week 9 - T-convertido

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses application state and session management in web applications. It explains that HTTP is stateless and browsers cannot save files, so state must be stored on the server. Cookies allow storing small amounts of data on the client side and sending it to the server, but have limitations. Sessions provide a secure way to store user information on the server between requests using a session ID cookie.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    20 views14 pages

    Week 9 - T

    Uploaded by

    Jorge Sousa
    This document discusses application state and session management in web applications. It explains that HTTP is stateless and browsers cannot save files, so state must be stored on the server. Cookies allow storing small amounts of data on the client side and sending it to the server, but have limitations. Sessions provide a secure way to store user information on the server between requests using a session ID cookie.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 14

    Web

    Languages and
    Technologies

    Bruno Veloso
    brunov@upt.pt
    23/09/2018

    IMP.GE.190.0
    2

    HTTP Headers in PHP - Login ◼ Server (Web Server)


    ◼ Client (Browser)
    HTTP Request index.php
    other.php
    styles/menu.css
    scripts/forms.js

    Apache PHP

    HTML DB
    HTTP
    IMP.GE.190.0
    Response
    3

    Application State – What is the problem?

    • In desktop applications it’s normal to save the application state.


    • Configuration files, Windows Registry, etc.
    • The saved state is a user convenience.
    • In web applications this becomes harder.
    • HTTP is stateless.
    • Browsers don’t have permission to create files (except
    downloads).

    IMP.GE.190.0
    4

    It’s not possible to save files?

    • It’s not a problem, it’s a safety issue


    • Likewise, browsers can’t read files from disk on behalf of a web
    page.
    • So, even if we made the browser download a configuration file off
    the server as a download…
    • … to load the configuration we would have to upload the file when
    the application starts.

    IMP.GE.190.0
    5

    HTTP is stateless?

    • As we saw, a second (third, fourth, etc.) connection to the same


    server by the same client will be considered as the first connection.

    UPT

    • Each colour, for all intents and purposes, represents a new client
    for the server.

    IMP.GE.190.0
    6

    Cookies – What are they?

    • To overcome the stateless property of the protocol and the safety


    limitations of the browsers a system was devised whereas
    information is stored on the client and communicated to the server
    • Simply, a cookie is a text file saved by the browser on disk (the
    actual location varies depending on the browser).
    • The information stored inside the cookie is the responsibility of the
    application/website.
    • The browser’s responsible for making each website/application can
    only access its own cookies.

    IMP.GE.190.0
    7

    Cookies – How do they work?

    GET /index.html
    HTTP/1.1
    Host: www.upt.pt

    HTTP/1.1 200 OK
    Content-type: text/html
    UPT Set-Cookie: name=value
    Set-Cookie:
    name2=value2

    GET /page.html HTTP/1.1


    Host: www.upt.pt
    Cookie: name=value;
    name2=value2
    Accept: */*
    IMP.GE.190.0
    8

    Cookies – Attributes

    • Although the information is stored as a set of name, value pairs,


    other information may exist, or meta-information, about the cookie
    itself.
    • The most relevant are:
    • Expiration date (Expires) = <date>
    • If not given, the cookie will automatically expire
    when the browser is closed.
    • After this date the browser will delete the cookie.
    • Only send in encrypted channels (Secure)
    • Only accessed through HTTP (HttpOnly)
    • Where it can be accessed/used (Domain/Path)

    IMP.GE.190.0
    9

    Example of Set-Cookie header value (response)


    HTTP/1.1 200 OK
    Content-type: text/html
    Set-Cookie: dados=marta; Domain=www.upt.pt; Path=/cursos; Expires=Tue, 13-May-2016 08:25:01
    GMT; Secure; HttpOnly

    • This information (“marta”) may be accessed only through HTTP


    requests.
    • The cookie is only sent (client-server) through encrypted channels
    (HTTPS).
    • Only accessed by pages/code in www.upt.pt/cursos/*
    • Only accessible until the 13th of May of 2016

    IMP.GE.190.0
    10

    Problems with cookies

    • Cookies are sent in all connections with the server.


    • More bytes to send and receive.
    • Less privacy.
    • Less security.
    • Purely textual representation mixing information with meta-data.
    • Up to 4Kb of data.
    • https://developer.mozilla.org/en-
    US/docs/Web_Development/HTTP_cookies

    IMP.GE.190.0
    11

    Two Ways

    • Session Cookies:
    • Cookies which the browser will automatically eliminate
    once it is closed.
    • Do not mistake with Sessions!

    IMP.GE.190.0
    12

    Session

    • Secure way to store information about the user between various


    HTTP connections.
    • Means a small database located on the server.
    • There is a SESSION for each browser session.
    • A browser session is a client-server connection where
    state will be maintained.

    IMP.GE.190.0
    13

    Session implemented with Cookie

    • In PHP the cookie is named PHPSESSID by default


    • The value of the cookie is a hash that corresponds to a hash in the
    server’s SESSION.
    • Since it’s a cookie, this hash will always be sent on all HTTP
    requests.
    • If it’s intercepted a Session Hijack attack can occur.

    IMP.GE.190.0
    14

    IMP.GE.190.0

    You might also like