1
Poor usability definitely drives people away. Life is too
short for difficult web sites. Users have been burned
enough in the past by bad sites, so most of them have
concluded that if a site is too difficult on the first few
pages, then it will probably not be worth an extended
stay. So they leave. Leaving is the one thing that’s easy
on the Web.
- Jakob Nielson, interview, Database Management, Riccardi, p. 31.
© Keith Vander Linden, 2005
2
Integrated Web Applications
●
●
●
The technologies discussed so far are
used to implement web applications.
Integrated applications must be designed.
Technical Issues:
(Chapter 11)
–
Integrating web forms into an application
– Sharing data across an application
– Securing an application
– Information integrity and recovery
© Keith Vander Linden, 2005
3
Web Application Design
●
You must determine:
–
The information requirements
– The user requirements
– The security requirements
●
General Guidelines:
–
Focus on the content, not the form.
– Design for usability.
– Keep it simple.
© Keith Vander Linden, 2005
4
Back to the
main page
Secure Section
© Keith Vander Linden, 2005
5
Jakob Nielsen
Designing Web Usability
●
●
●
What’s the
Big Idea
Developed discount
usability engineering
Focused much recent
effort on website usability
http://www.useit.com/
image from www.useit.com
© Keith Vander Linden, 2005
6
Navigation
●
Applications contain multiple web pages
and web forms. Navigation mechanisms:
–
Standard web pages support hyperlinks.
– Web forms, however, post back to
themselves by default.
●
ASP.Net provides two mechanisms that
transfer control from one form to another:
Response.Redirect(“aNewURL”)
– Server.Transfer(“aNewForm”)
–
© Keith Vander Linden, 2005
7
Response Class Redirects
1&2. The user initiates a program that
executes a response redirect and the
application processor sends a new URL.
IIS
Server
Networ
k
client
server
Application
Processor
File
System
3&4. The client requests the new URL and the
appropriate server returns it.
© Keith Vander Linden, 2005
8
Server Transfers
1&2. The user initiates a program that executes a
server transfer and the application processor
creates/sends back the new form.
IIS
Server
Networ
k
client
server
Application
Processor
File
System
© Keith Vander Linden, 2005
9
User Sessions
●
HTTP is a stateless protocol:
–
HTTP requests are treated independently.
– User sessions must be implemented on top
of HTTP.
●
ASP.Net supports three types of state:
–
View State
–
Application State
–
Session State
© Keith Vander Linden, 2005
10
View State
●
●
ASP.Net uses view state to represent
the state of the page and its controls.
The information is:
Stored/transferred in the state bag, which
is exchanged over the web in hidden fields.
– Accessed with ViewState(“aName”)
–
●
View state is not well-suited for:
Large amounts of data
– Hard-to-serialize data
– Secure information
–
© Keith Vander Linden, 2005
11
Application State
●
●
ASP.Net uses application state to
represent global information shared by
all sessions of a web application.
The information is:
Declared/stored in the global.asax file
– Accessed with Application(“aName”)
–
© Keith Vander Linden, 2005
12
Session State
●
●
ASP.Net uses session state to
represent information associated with a
single user session.
The information is:
Stored in web server memory, separately
from the ASP.Net process
– Indexed by a session ID, stored either in
the URL or in a cookie
– Accessed with Session(“aName”)
– Discarded at the end of the session
–
© Keith Vander Linden, 2005
14
Cookies
●
●
Are small files, stored on the client
machine, that are associated with a
specific domain.
They are:
– < 4K in size
–
●
temporary
or persistent
Pose privacy
concerns
© Keith Vander Linden, 2005
15
3rd Party Cookies
1. The user requests a page from a
DoubleClick customer site.
2. The site returns a page that contains
an image URL from DoubleClick.
Networ
k
client
server1
3. Client requests the image
from DoubleClick
(sending a cookie).
5. Double-click
returns a
customized
advertisement
(setting a cookie).
DoubleClick Customer
DoubleClick
4. DoubleClick records
the fact that you
visited the
customer site.
database
server2
© Keith Vander Linden, 2005
16
Lou Montulli
Cookies
●
●
●
Introduced in Netscape
1.1 in 1995
Named them after
UNIX magic cookies
Wrote this preliminary
spec 
http://home.netscape.com/newsref/std/cookie_spec.html
image from www.epinions.com
© Keith Vander Linden, 2005
17
Security
●
●
●
Web applications must be secured.
Key issues:
–
Authentication
–
Authorization
ASP.Net implements two-layered
security:
Web server
– Application server
–
© Keith Vander Linden, 2005
18
Authentication
●
●
●
Authentication determines who the user is.
It is generally implemented with loginIDs
and passwords.
ASP.Net supports 4 authentication types:
–
–
–
–
–
Anonymous access
Windows Authentication
Passport Authentication
Certificate Authentication
Forms Authentication
© Keith Vander Linden, 2005
19
Anonymous Access
●
●
If a user is not authenticated, they are
considered anonymous.
The resources available to these users
are limited only by:
What the web server has access to
– What the web server allows the user to
access
–
© Keith Vander Linden, 2005
20
Windows Authentication
●
●
This method uses the MS Windowsbased authentication built into IIS.
The user must:
Use the Windows platform
– Have a Windows account on the server
–
●
This is the default setting.
© Keith Vander Linden, 2005
21
Passport Authentication
●
●
●
Passport authentication uses a
centralized authentication service
provided by Microsoft.
It allows a user to use a single login
account for a number of websites.
It requires that the websites register for
Passport service.
© Keith Vander Linden, 2005
22
Certificate Authentication
●
●
Certificate authentication is based on
digital keys installed on a computer.
Features:
Certificates are generally issued by a 3rd party.
– Their operation is seamless to the user.
– They are secured with public-key encryption.
–
© Keith Vander Linden, 2005
23
Forms Authentication
●
●
ASP.Net forms authentication allows the
system to authenticate users once per
session.
It doesn’t require that:
the user have a Windows login
– the application register for Passport service
–
●
It secures access to any ASP.Net form in
a directory designated as secure.
© Keith Vander Linden, 2005
24
Forms Authentication (cont.)
1. The user requests a web form in a secure folder.
IIS
Server
Networ
k
client
Application
Processor
File
System
server
2&3. If the user is anonymous, the application
processor posts back a login form and collects
authentication information.
4. The application processor posts back either the
requested page or an error page, depending on
whether the authentication is successful.
© Keith Vander Linden, 2005
28
Authorization
●
●
Authorization determines what resources
the authenticated user may access.
ASP.Net allows an application to restrict
authorization based on:
Files
– URLs
–
© Keith Vander Linden, 2005