1
© Keith Vander Linden, 2005
Poor usability definitely drives people away. Life is too short for difficult web sites. Users have been burned enough in the past by bad sites, so most of them have concluded that if a site is too difficult on the first few pages, then it will probably not be worth an extended stay. So they leave. Leaving is the one thing that’s easy on the Web. - Jakob Nielson, interview, Database Management, Riccardi, p. 31.
2
© Keith Vander Linden, 2005
Integrated Web Applications
● The technologies discussed so far are used to implement web applications.
● Integrated applications must be designed.● Technical Issues: (Chapter
11)
– Integrating web forms into an application– Sharing data across an application– Securing an application– Information integrity and recovery
3
© Keith Vander Linden, 2005
Web Application Design
● You must determine:– The information requirements– The user requirements– The security requirements
● General Guidelines:– Focus on the content, not the form.– Design for usability.– Keep it simple.
4
© Keith Vander Linden, 2005
Back to the main page
Secure Section
5
© Keith Vander Linden, 2005
Jakob NielsenDesigning Web Usability
● Developed discount usability engineering
● Focused much recent effort on website usability
● http://www.useit.com/
image from www.useit.com
What’s theBig Idea
6
© Keith Vander Linden, 2005
Navigation
● Applications contain multiple web pages and web forms. Navigation mechanisms:– Standard web pages support hyperlinks.– Web forms, however, post back to
themselves by default.
● ASP.Net provides two mechanisms that transfer control from one form to another:– Response.Redirect(“aNewURL”)– Server.Transfer(“aNewForm”)
7
© Keith Vander Linden, 2005
Response Class Redirects
server
Network
client
IIS Server
File System
ApplicationProcessor
1&2. The user initiates a program that executes a response redirect and the application processor sends a new URL.
3&4. The client requests the new URL and the appropriate server returns it.
8
© Keith Vander Linden, 2005
Server Transfers
server
Network
client
IIS Server
File System
ApplicationProcessor
1&2. The user initiates a program that executes a server transfer and the application processor creates/sends back the new form.
9
© Keith Vander Linden, 2005
User Sessions● HTTP is a stateless protocol:
– HTTP requests are treated independently.– User sessions must be implemented on top
of HTTP.● ASP.Net supports three types of state:
– View State
– Application State
– Session State
10
© Keith Vander Linden, 2005
View State● ASP.Net uses view state to represent
the state of the page and its controls.● The information is:
– Stored/transferred in the state bag, which is exchanged over the web in hidden fields.
– Accessed with ViewState(“aName”)● View state is not well-suited for:
– Large amounts of data– Hard-to-serialize data– Secure information
11
© Keith Vander Linden, 2005
Application State● ASP.Net uses application state to
represent global information shared by all sessions of a web application.
● The information is:– Declared/stored in the global.asax
file– Accessed with Application(“aName”)
12
© Keith Vander Linden, 2005
Session State● ASP.Net uses session state to
represent information associated with a single user session.
● The information is:– Stored in web server memory,
separately from the ASP.Net process– Indexed by a session ID, stored either
in the URL or in a cookie– Accessed with Session(“aName”)– Discarded at the end of the session
14
© Keith Vander Linden, 2005
Cookies
● Are small files, stored on the client machine, that are associated with a specific domain.
● They are:– < 4K in size– temporary
or persistent● Pose privacy
concerns
15
© Keith Vander Linden, 2005
3rd Party Cookies
server1
Network
client
DoubleClick Customer
1. The user requests a page from a DoubleClick customer site.
5. Double-click returns a customized advertisement (setting a cookie).
server2
DoubleClick
database
3. Client requests the image from DoubleClick (sending a cookie).
2. The site returns a page that contains an image URL from DoubleClick.
4. DoubleClick records the fact that you visited the customer site.
16
© Keith Vander Linden, 2005
Lou Montulli Cookies
● Introduced in Netscape 1.1 in 1995
● Named them after UNIX magic cookies
● Wrote this preliminary spec
image from www.epinions.com
http://home.netscape.com/newsref/std/cookie_spec.html
17
© Keith Vander Linden, 2005
Security
● Web applications must be secured.● Key issues:
– Authentication
– Authorization
● ASP.Net implements two-layered security:– Web server– Application server
18
© Keith Vander Linden, 2005
Authentication● Authentication determines who the
user is.● It is generally implemented with loginIDs and
passwords.● ASP.Net supports 4 authentication types:
– Anonymous access– Windows Authentication– Passport Authentication– Certificate Authentication– Forms Authentication
19
© Keith Vander Linden, 2005
Anonymous Access● If a user is not authenticated, they
are considered anonymous.● The resources available to these
users are limited only by:– What the web server has access to– What the web server allows the user to
access
20
© Keith Vander Linden, 2005
Windows Authentication● This method uses the MS Windows-
based authentication built into IIS.● The user must:
– Use the Windows platform– Have a Windows account on the server
● This is the default setting.
21
© Keith Vander Linden, 2005
Passport Authentication● Passport authentication uses a
centralized authentication service provided by Microsoft.
● It allows a user to use a single login account for a number of websites.
● It requires that the websites register for Passport service.
22
© Keith Vander Linden, 2005
Certificate Authentication● Certificate authentication is based on
digital keys installed on a computer.● Features:
– Certificates are generally issued by a 3rd party.
– Their operation is seamless to the user.– They are secured with public-key
encryption.
23
© Keith Vander Linden, 2005
Forms Authentication● ASP.Net forms authentication allows
the system to authenticate users once per session.
● It doesn’t require that:– the user have a Windows login– the application register for Passport
service
● It secures access to any ASP.Net form in a directory designated as secure.
24
© Keith Vander Linden, 2005
server
Network
client
IIS Server
File System
ApplicationProcessor
1. The user requests a web form in a secure folder.
4. The application processor posts back either the requested page or an error page, depending on whether the authentication is successful.
Forms Authentication (cont.)
2&3. If the user is anonymous, the application processor posts back a login form and collects authentication information.
28
© Keith Vander Linden, 2005
Authorization● Authorization determines what
resources the authenticated user may access.
● ASP.Net allows an application to restrict authorization based on:– Files– URLs