Saving State on the Saving State on the WWWWWW

The IssueThe Issue

Connections on the WWW are statelessConnections on the WWW are stateless Every time a link is followed is like the first Every time a link is followed is like the first

time to the server time to the server — — it has no memory for it has no memory for connectionsconnections

Why Bother To Fix This?Why Bother To Fix This?

By saving state we can…By saving state we can… Save configuration information between Save configuration information between

sessionssessions Make adaptive websites (change themselves Make adaptive websites (change themselves

to suit user’s behaviour)to suit user’s behaviour) Enable e-commerce applications (shopping Enable e-commerce applications (shopping

carts)carts)

Violate users’ privacy by tracking which Violate users’ privacy by tracking which websites and webpages they visitwebsites and webpages they visit

Saving State In GeneralSaving State In General

Methods of Saving StateMethods of Saving State

Cookies Cookies Session-level authenticationSession-level authentication formformss URL RewritingURL Rewriting

Method 1: CookiesMethod 1: Cookies

Basic ideaBasic idea Client stores data for the serverClient stores data for the server Client sends data to server with each requestClient sends data to server with each request

Details (Version 0)Details (Version 0) Required fields: Required fields: namename==valuevalue Optional fields: domain, path, secure, expiresOptional fields: domain, path, secure, expires Size: maximum 4 kilobytesSize: maximum 4 kilobytes Number: maximum 1024 cookiesNumber: maximum 1024 cookies

Aside: Cookie ConceptAside: Cookie Concept

Cookie is a computing term from long ago.Cookie is a computing term from long ago. According to According to The New Hacker’s DictionaryThe New Hacker’s Dictionary::

Something passed between subroutines or programs Something passed between subroutines or programs that enables the receiver to do something usefulthat enables the receiver to do something useful

The thing being passed is opaque to the sender (e.g. The thing being passed is opaque to the sender (e.g. time_t time_t type C libraries use)type C libraries use)

Cookies are also smallCookies are also small

‘‘The phrase “it hands you a magic cookie” means it returns a result The phrase “it hands you a magic cookie” means it returns a result whose contents are not defined but which can be passed back to whose contents are not defined but which can be passed back to the same or some other program later.’ [source for quote at end]the same or some other program later.’ [source for quote at end]

Cookie ExamplesCookie Examples

Examples at course websiteExamples at course website

• time1.cgitime1.cgi vs. vs. time2.cgitime2.cgiCompare form method with cookie methodCompare form method with cookie method

• cookie-colourcookie-colour• One program to write cookiesOne program to write cookies• One program to read cookiesOne program to read cookies• Use Use env.cgienv.cgi to see cookies in headers to see cookies in headers

Method 2:Method 2:Session-level AuthenticationSession-level Authentication

See §12.2 (Basic Authentication) in See §12.2 (Basic Authentication) in HTTP: The Definitive GuideHTTP: The Definitive Guide by by David Gourley & Brian Totty, © 2002 by O'Reilly & Associates, Inc. (ISBN: 1-David Gourley & Brian Totty, © 2002 by O'Reilly & Associates, Inc. (ISBN: 1-56592-509-2)56592-509-2)

Session (from ISO Reference Model)Session (from ISO Reference Model) Logical communication between two network end pointsLogical communication between two network end points Sessions are composed of requests and responses that occur Sessions are composed of requests and responses that occur

between applications in different network hosts.between applications in different network hosts. In browser terms a session is the longevity of the O/S processIn browser terms a session is the longevity of the O/S process

The Steps of Basic The Steps of Basic AuthenticationAuthentication

1.1. Browser requests resource from server applicationBrowser requests resource from server application usually with GET protocolusually with GET protocol

2.2. Server replies with code 401 (authorization required)Server replies with code 401 (authorization required)

3.3. Browser prompts userBrowser prompts user for name & passwordfor name & password

4.4. Browser resends request including the name & password (in the network Browser resends request including the name & password (in the network header)header)

Every time the browser makes a request for that resource it will send the Every time the browser makes a request for that resource it will send the name & password, until the end of the sessionname & password, until the end of the session

The name & password are like a cookie that is stored in RAMThe name & password are like a cookie that is stored in RAM Because they are in RAM they will be forgotten when the browser quits (i.e., at Because they are in RAM they will be forgotten when the browser quits (i.e., at

the end of the session)the end of the session)

Method 3: Method 3: formforms with hidden fieldss with hidden fields

We usually pull webpages in from a serverWe usually pull webpages in from a server Forms are for pushing data to the serverForms are for pushing data to the server To use forms we need to use CGI protocolTo use forms we need to use CGI protocol

CGI = common gateway interfaceCGI = common gateway interface An application layer protocol that allows client An application layer protocol that allows client

to send data to the serverto send data to the server

Two Two formform Methods Methodsmethod=“get”method=“get” method=“post”method=“post”

Data is part of URLData is part of URL Data is Data is notnot part of URL part of URL

Only used for simple Only used for simple requests (e.g. search requests (e.g. search engine queries)engine queries)

Can be used for file Can be used for file uploadupload

Conceptually: a query Conceptually: a query of a databaseof a database

Conceptually: an Conceptually: an alteration to a databasealteration to a database

See See form examples online

Saving State With Saving State With formformss

Hidden post & simple getHidden post & simple get Did you see the hidden field?Did you see the hidden field? Did you see the hidden data?Did you see the hidden data?

That’s one way of saving state:That’s one way of saving state: Placing the data in a Placing the data in a formform so that every time the form so that every time the form

is submitted (sent to the server) the data is sent toois submitted (sent to the server) the data is sent too

• Examples using CGI program to generate a Examples using CGI program to generate a formform Loan.cgi and multi-page.cgiLoan.cgi and multi-page.cgi

Essence of State Saving Essence of State Saving Using Using formformss

Browser

CGIprogram(s)

form in HTML file

State info.

State info.

Essence of State Saving Essence of State Saving Using Using formformss

There must be an uninterrupted sequence There must be an uninterrupted sequence of request/responses pairs from the of request/responses pairs from the browser to a CGI program browser to a CGI program (or programs)(or programs)

The state must beThe state must be represented in the represented in the formform, and, and recognized by the CGI program(s)recognized by the CGI program(s)

The CGI program(s) must encode the The CGI program(s) must encode the state in the state in the formform

Method 4:Method 4:Servlets & URL RewritingServlets & URL Rewriting

Recall that Recall that method=“get” formmethod=“get” forms pass s pass their data in the URLtheir data in the URL

These URLS are designed to be cachedThese URLS are designed to be cached You don’t need a browser that can You don’t need a browser that can

understand understand formforms to use thems to use them You can just type them in like any other web You can just type them in like any other web

addressaddress

URL Rewriting ExplainedURL Rewriting Explained

So why not put the state information from So why not put the state information from method=“get” formmethod=“get” forms in the s in the hrefhref of of every anchorevery anchor

Instead ofInstead of <a href="foo.html" >click here</a>

dodo<a href="foo.html?session=…?session=…" >click here</a>

Servlets (1 of 2)Servlets (1 of 2)

Many users dislike long URLs — they are Many users dislike long URLs — they are hard to mail to friends & look uglyhard to mail to friends & look ugly

Some browser software don’t support Some browser software don’t support cookies — and many users have such cookies — and many users have such support disabledsupport disabled

Wouldn’t it be great if your server would Wouldn’t it be great if your server would use cookies when the client supported use cookies when the client supported them, and URL rewriting when it didn’t?them, and URL rewriting when it didn’t?

Servlets (2 of 2)Servlets (2 of 2)

Servlets (and other server-side software) Servlets (and other server-side software) do that!do that!

Servlets are server-side programs written Servlets are server-side programs written in Javain Java

Other server-side technologies work the Other server-side technologies work the same way but are implemented in other same way but are implemented in other languageslanguages

See alsoServlets lecture

See alsoServlets lecture

What Data Do We Pass?What Data Do We Pass?

But isn’t that a lot of state information to But isn’t that a lot of state information to send back and forth?send back and forth?

Not really, because we don’t have to pass Not really, because we don’t have to pass all of the data back and forthall of the data back and forth

We can pass a user or session ID andWe can pass a user or session ID and the server will maintain a database keyed the server will maintain a database keyed

by those IDsby those IDs

ResourcesResources

Cookie resourcesCookie resources at course website at course website HTTP: The Definitive Guide HTTP: The Definitive Guide in in

the e-book collectionthe e-book collection Cookie examplesCookie examples at course website at course website SessionTrack servlet SessionTrack servlet exampleexample at course website at course website

Note that servlets are not always running at FCSNote that servlets are not always running at FCS

BibliographyBibliography

1.1. CS4173 Resource ListCS4173 Resource List2.2. Web Protocols and PracticeWeb Protocols and Practice

Balachander Krishnamurthy & Jennifer RexfordBalachander Krishnamurthy & Jennifer RexfordAddison-Wesley May 2001Addison-Wesley May 2001© 2001 by AT&T Corp. (ISBN 0-201-71088-9)© 2001 by AT&T Corp. (ISBN 0-201-71088-9)

3.3. HTTP: The Definitive GuideHTTP: The Definitive Guide David Gourley & Brian Totty, with othersDavid Gourley & Brian Totty, with others O'Reilly & Assoc. Sept. 2001O'Reilly & Assoc. Sept. 2001 (ISBN 1-56592-509-2)(ISBN 1-56592-509-2)

4.4. The New Hacker’s DictionaryThe New Hacker’s Dictionary Eric S. Raymond (editor)Eric S. Raymond (editor) Online version used at Online version used at

<URL:<URL:http://www.logophilia.com/jargon/jargon_28.html#TAG1093>>