CS453: State in Web Applications Part 1

1
CS453 State in Web Applications (Part 1)

• State in General
• Sessions (esp. in PHP)
• Prof. Tom Horton

2
Readings

• Textbook
• Pages 155-158
• On the web
• On-line book

3
State, Stateless, HTTP

• We say HTTP is stateless
• From one request from client/server to the next,
  the server
• Doesnt remember anything
• Cant associate previous request with current
  request
• Advantages simpler protocol and implementations
• But we need state for real apps

4
State and Sessions

• State
• Variable/info we store and have repeated access
  to
• We is client-side app and server-side app
• Session
• A sequence of interactions for which we remember
  state

5
One form of state Cookies

• You remember cookies?
• Clearly an example of state
• Stored on disk on client-side
• Readable and writable by JavaScript
• Readable and writable by server-side scripts
• Issues?
• Security, nuisance, abuse, expiration,
  limitations on number, size,

6
Where to Keep State?

• In server-side application
• In Apache etc.?
• Why not a good idea?
• In memory in the server-side program?
• On the servers file-system
• In files or DBMS
• Now must have user-id or session-id,and pass it
  around (and manage it)

7
Where to Keep State? (2)

• On the client?
• On the file system Cookies
• In memory in the client
• Is this possible?
• Advantages cant access through JavaScript,
  hacking, etc.
• For any of these, passing things back and forth
  is still needed

8
Solutions

• Dynamic URLs
• Input some information into the URL
• Forms, CGI GET method
• Cookies
• Hidden input fields in forms
• Not displayed, but in HTML
• Dynamic/changeable with JavaScript
• Java applets
• Why does this solve the state issue?

9
PHP Sessions

• Youve seen how PHP supports cookies
• PHP also support sessions directly without using
  cookies
• The key ideas
• Functions to start and end sessions
• PHP and browser share a set of variables
  cleanly with little effort on your part
• For a single session
• While the browser is open, and
• Between your PHP calls to start and end session

10
Whats Shared

• _SESSION
• An associative array (super-global, like for POST
  or cookies)
• A session-id
• Get it with PHP function session-id()
• But you dont really need it

11
Starting a Session

• First line in script start_session()
• Either
• Creates a new session
• Or re-loads current session
• Your browser knows if a session is active
• So pages using sessions should always start with
  this

12
Ending a Session

• At some point your know youre done.So just
  call
• destroy_session()
• Cleans up _SESSION and session-id

13
Session Variables

• Use _SESSION as any associative array
• Re-loaded with persistent values by
  start_session()
• As usual, not a good idea to use extract().
• POST variables can over-write these
• Dont forget isset() function

14
Example

• Live on-line example

15
(No Transcript)
16
Web sessions

• Textbook pages 285-286
• Custom URL method
• First form
• http//www.com/path/script.cgi?argssessionID
• The script does the work
• Second formhttp/www.com/path/sessionID/more/pat
  h
• The server knows how to handle this

17
Where to Store Info (Revisited)

• Whats a three-tier architecture
• client, server, database
• E.g. browser plus PHP and MySQL on server
• but other possibilities
• Other possibilities federated systems
• Cooperating distributed systems that handle
  certain tasks
• Examples authentication (e.g. MS Passport),
  wallets, credit card processing, shippers, etc.

18
Some Rules of Thumb

• Considering storing on the client when
• Its info where security is crucial
• Where OK if info not available when a different
  machine is used
• Where info used by more than one application or
  page

19
Custom client application

• We think of web browser as the client application
• But businesses could supply a custom SW
  application
• Advantages/Disadvantages
• Can keep more user-info secure
• But user must install/update client app
• Can't use it anywhere on any system

20
Shopping Carts

• Textbook, Chap 16

21
Shopping Cart Basics

• Whats the metaphor here?
• Just a trolley in a physical store?

22
Shopping Cart Basics

• To the business, cart eventually is like a sales
  order or purchase order
• The latter is an accepted sales order
• Header data
• Info on buyer, shipping, payment, etc.
• Line-item data
• Item, SKU, quantity, price, etc.

23
Server-Side Shopping Carts

• Can be more complex in the real-world than you
  expect. Possible that
• Catalog stored/served separately than Cart
  Storage
• Order system separate
• Orders (carts?) sent to other systems (federated
  systems)

24
Persistence Issues

• How many carts?
• By user
• Wish-list, registry, etc. vs. real cart
• In system Textbook example
• Session cart for anonymous user session cart for
  authenticated user cart on catalog server
• Other saved carts
• Company systems where a third-party approves
  orders

25
Possible Features, Issues

• Quick orders
• E.g Amazon one-click
• Configurators
• E.g. ordering a computer at dell.com
• Order processing
• To or by third-party organization
• Dont forget integrates with Catalog, Inventory

26
What Processing Is Done

• What do you remember?

27
What Processing Is Done?

• Shop, Add items
• Edit or update cart
• Checkout
• Get shipping info
• Get payment info and approve
• Confirm order
• Send on to Purchasing

28
More Processing Done

• See text, pages 325f.
• Note that these steps part of recognized industry
  pipelines built into commercial e-commerce
  components/servers
• Steps for verfication
• Price adjustments order (sub)totals
• Taxes (!)
• Shipping Multiple shipments?
• Validity of order?

29
Look and Feel

• Whats good? Whats not?
• Features you like?