130 likes | 214 Vues
Learn about cookies, sessions, database connections, CGI specifications, HTTP authentication, file uploading, and more for secure web development.
E N D
Web Application Generic Issues. Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
Content • Cookies • Sessions • Database connection • Persistence connection • HTTP header • HTTP authentication • File Uploading • CGI Specification
Cookies • PERSISTENT CLIENT STATE • Set-Cookie HTTP Response Set-Cookie: NAME=VALUE; expires=DATE;path=PATH; domain=DOMAIN_NAME; secure • HTTP Request Header Cookie: NAME1=OPAQUE_STRING1; NAME2=OPAQUE_STRING2 ...
Sessions • Preserve certain data across subsequent accesses • Cookies Mechanism
Database Connection • CGI Application Interface to Database • Each Web Connection with particular Database Connection
Persistent Database Connections • links that do not close when the execution of your script ends • same host, with the same username and the same password • Require extra-ordinary Server Configuration.
HTTP Basic Access Authentication • Header Part (Server). WWW-Authenticate: Basic realm=“Test Authentication System” HTTP/1.0 401 Unauthorized • Header Part (Client) Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== userid ":" password (Base-64 Encoder) • Whole Site Authentication. • Base-64 Encoder
Base 64 Encoder • 3x8bit to 4x6bit
Header Part (Server). HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41” Level Support MD5 Encoder (More Secure) Header Part(Client) Authorization: Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41" HTTP Digest Access Authentication
File Uploading • PUT method (used by clients such as Netscape Composer and W3C Amaya) • PUT /path/filename.html HTTP/1.1 • Form POST Method <form enctype=“multipart/form-data” action="_URL_" method="post"> <input type="hidden" name="MAX_FILE_SIZE" value="1000"> Send this file: <input name="userfile" type="file"> <input type="submit" value="Send File"> </form>
Environment SERVER_SOFTWARE SERVER_NAME GATEWAY_INTERFACE SERVER_PROTOCOL SERVER_PORT REQUEST_METHOD PATH_INFO PATH_TRANSLATED SCRIPT_NAME QUERY_STRING REMOTE_HOST REMOTE_ADDR AUTH_TYPE REMOTE_USER REMOTE_IDENT CONTENT_TYPE CONTENT_LENGTH HTTP_ACCEPT HTTP_USER_AGENT Command Line http://www…./test?hello Execute ‘test hello’ CGI 1.1 Specification
Standard Input POST or PUT Standard Output (No server directives) Content-type Location (status line) Example HTTP/1.0 200 OK Server: NCSA/1.0a6 Content-type: text/plain [Data] Simple CGI with Sheel Script #! /bin/sh echo "Content-type: text/plain" echo "" echo "Hello World"; set CGI 1.1 Specification (cont.)
Reference • Ref : http://wp.netscape.com/newsref/std/cookie_spec.html • http://www.w3c.org • HTTP Authentication: Basic and Digest Access Authentication (RFC 2617) • http://hoohoo.ncsa.uiuc.edu/cgi/interface.html