CIS 484 - Final Exam
WorkingWithObjects
stores the list in a Session variable, so it can be seen in multiple pages. In our example, one page is used to create Thing objects, and the other reads them.
what is considered free and open?
Application security tools and standards Complete books on application security testing, secure code development, and security code review Standard security controls and libraries Local chapters worldwide Cutting edge research Extensive conferences worldwide Mailing lists
other considerations
Be careful of JavaScript as only source of validation - validate on server as well JavaScript Injection JavaScript Deactivation .Net: do not store connection string in asp file (use web.config and encrypt) Use ObjectDataSouce or other better options
Web Controls
GUI widgets placed on the Page•In the System.Web.UI.WebControlsNamespace-https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.webcontrols.webcontrol?view=netframework-4.8- Typically declared and instantiated in the .aspx file- Becomes a property (member variable) of the Page- A Web Control's ID attribute is the name of the Page's "member variable", and can be referenced in the C# code• Rendered as HTML elements. Examples:-Labelrenders as a <span> tag-TextBoxrenders as a "text" type <input> tag-DropDownListrenders as a <select> tag, and its ListItemsrender as <option> tags-CheckBoxrenders as a "checkbox" type <input> tag• Web Controls involved in POST must be within <form> element• Many Web Controls can be data bound (e.g. DropDownList)
One possible way to loop through a list of things
foreach (Thing t in things) Response.Write("<br> " + t.StringProperty + " " + t.IntegerProperty);
how can you tell the difference between properties and variables
properties are Capitalized variables are lowercase
steps to keep in mind making a stored procedure
"CREATE" will be the first word of the stored procedure when you want to actually create it. • "ALTER" will allow you to modify an existing stored procedure. • "CREATE" or "ALTER" will both work only if the stored procedure does not already exist in the DB. • You will use/call the stored procedure from another query or from a data bound ASP web control on your page.
Using Master Pages
"Master Page" = Template Webform Structure that can be used for every page on your site! Master pages contain ContentPlaceHolderweb controls. A page that uses a master page will include Contentweb controls, that are linked to its master's ContentPlaceHolder.The web controls of the page should be embedded inside the Content web control.
OWASP recommendations
"OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security."
what is OWASP
"The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted."
sql injection characters
' or " character String Indicators -- or # single-line comment /*...*/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay
ADO .NET
- API for interfacing to databases in the .NET framework - Similar to Java's JDBC
•Techniques for Maintaining State
-Cookies - files on client machine that can keep track of past user behavior (but only on the client machine) -Server-side files - files on server machine (e.g. use of fileSystemObject) -Server-side databases -Application and Session variables -Statebags and Hidden input tags -URL parameters
5- Step UI Design Process
1) use scenarios development 2) interface structure design 3) interface standards design 4) interface design prototyping 5) interface evaluation
Approaches to State Management
1.Application State [Higher Level - More Global] -Data values available to all users across all pages while the application runs -Use of Application variables 2.Session State - Per User -Data values available to a single user in all pages of the application during a session -Use of Session variables -Each user is given their own Session as they load the application. 3.Page State - Per Page -Data values available across postbacks of a single page in hidden input tags -Use of ViewState (StateBag) variables 4.Cookies [Lower Level - Client Machine Stored] -Data values retained at client (in-memory or in files) Use of Request.Cookies and Response.Cookies
ASP Label controls ultimately render as ______________________ tags in HTTP.
<span>
Life and Stages of a Page
A Page has a very short life •Stages: - Page request-Start- Initialize- Load- Postback event handling (if postback)- Rendering- Unload
What is a Validation Control?
A control that validates the value in another control• Renders as an HTML <span> tag with an error message• Each validation control is associated with one specific ControlToValidate (e.g. Textbox, DropdownList, etc.)• A particular web control can have multiple different types of validators
OWASP Top 10 - Overview
A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
Page Class
All .aspx Web Forms are subclasses of the Pageclass- When you create a WebForm, you create a new class, which is a subclass of Page.- Then, this new class is instantiated when you run the web application• So, a Web Form is essentially one page in a web site
Consistency
All parts of the system work in the same way• Key areas of consistency are-Navigation controls-Terminology• Probably most important concept in making the system simple because it allows the users to predict what is going to happen
A big benefit of placing our connection strings in Web.config is:
Changing the details of the database connection is easier
In .NET, C#, Visual Basic, and J# (Jay-Sharp) all compile into ______________________________.
Common Intermediate Language, like Java Bytecode
Input Validation Types
Completenesscheck When several fields must be entered before the form can be processed Format check When fields are numeric or contain coded data Range check With all numeric data, if possible Check digit check When numeric codes are used, such as when checking credit card numbers Consistencycheck When data are related, such as when the user enters both a birth dateand a date of marriage (birth < marriage) Database check When data are available to be checked, such as when a user selects a user IDand we need to ensure it is not already taken
master page General Idea
Content that will appear on every page that uses this one as their "template" (at top and bottom of page) content pages will fill in this area with their content (middle of page) A content page is a partial pagethat only contains a <div> that will be "plugged into" the master page template
Which property is common to all Validator Server (Web)Controls:
ControlToValidate
cross site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Across-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy
For data bound ASP controls, a property that absolutely required for all of them is
DataSourceID
Which of the following data bound ASP controls displays the results of an SQL Query one record at a time?
DetailsView
Which of the following data bound ASP controls displays the results of an SQL query in a HTML table, with column names on the left and associated record values on the right?
DetailsView
Elements of an ASP .NET Page
Directives - controls compilation• Code declaration - contains application logic in C# • Could be done in .aspx file, but better in code-behind file• ASP .NET Web controls - those involved in POST need to appear within a <form> tag in HTML portion• Literal text and HTML tags - anything you can put in an HTML document
Layout
Each area may be further subdivided •Each area is self-contained •Areas should have a natural intuitive flow-Users from western nations tend to read from left to right and top to bottom-Users from other regions may have different flows
User Experience
Ease of learning-Significant issue for inexperienced users (learning curve)-Relevant to systems with a large user population• Ease of use-Significant issue for expert users-Most important in specialized systems• Sometimes ease of learning and ease of use go hand in hand
Which of the following are NOT a property of an SqlDataSource control:
EvalCommand
What happens to the cookie object Response.Cookies["PermanentCookie"].Expires = ExpDate;
Expires property of Cookie object causes it to be stored to a file, and will remain active until expiration date
Types of Inputs
Free form-Te x t b ox-Number box •Selection box-Check box-Radio button-List box (on-screen, drop-down, or combo)-Sliders http://www.wiley.com/college/dennis/0470074787/image_gallery/ch11/pages/fig_11_15.htm
Types of HTTP Requests
GET (client gets fromserver)- Just receive data from Web Server- The only data that is sent from client to server is from the URL parameters• POST (client posts tothe server)- For submitting form data to Web Server- Can send data from <input> tags• Others-http://www.w3schools.com/tags/ref_httpmethods.asp
Interface Evaluation
Goal is to understand how to improve the interface design before the system is complete• Have as many people as possible evaluate the interface •Ideally, interface evaluation is done while the system is being designed—before it is built
The main difference between the GridView and DetailsView controls is that ___________________.
GridView can display more than one row at a time, DetailsView will display only one record as a list.
4 Approaches to UI Evaluation
Heuristic- follow a check list• Walkthrough - give a "feel" for the interface (flow!) •Interactive - users work with a prototype to follow a common scenario• Formal Usability Testing - formalized process in a usability lab with video, keystroke counts, etc.
Request and Response
HttpRequest Class- Enables ASP.NET to read the HTTP values sent by a client during a Web request.- Page class's Request property is an instance of HttpRequest- https://docs.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8• HttpResponse Class•Enables ASP.NET to send responses to the client.•Page class's Response property is an instance of HttpResponse•https://docs.microsoft.com/en-us/dotnet/api/system.web.httpresponse?view=netframework-4.8
What happens to Expires property Response.Cookies["TemporaryCookie"].Value= "Won't be here after browser quits";
If Expires property is not set, it will be an in-memory cookie and will expire as soon as the browser is closed.
Creating a Class in Visual Web Developer
In Solution Explorer: -Choose Add New Item, then Class (instead of WebForm) (Make sure this is under "C#" on the left) -By default, non-GUI Classes that you create will go into a subfolder called App_Code. -See the Thing class in the WorkingWithObjectsexample (WORKINGWITHOBJECTS PPT SLIDE 4)
The DataTextField property in a data bound control does what?
Indicates the field from the query to display to the user in the control.
Injection
Injection flaws, such as SQL, OS (Operating System), and LDAP (Lightweight Directory Access Protocol) injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. slide 8 on PDF
Interface Standards Design
Interface standards are basic design elements found across the system user interface• Standards are needed for:-Interface metaphor - shopping cart-Interface objects - names for objects-Interface actions - buy or sell-Interface icons - when in doubt use a word-Interface templates - layout
Minimal User Effort
Interfaces should be designed to minimize the effort needed to accomplish tasks• A common rule is the three-clicks rule-Users should be able to go from main menu of a system to the information they want in no more than three mouse clicks
Aesthetics
Interfaces should be functional, inviting to use, and pleasing to the eye •In most cases, less is more (minimalist design) •Blank space is important• Acceptable information density is proportional to the user's expertise-Novice users prefer less than 50% density (Hedonic?)-Expert users prefer more than 50% density (Utilitarian)
Content Awareness
Intuitively answers the users' questions:-Where am I?-What am I supposed to be doing here? •Content awareness applies to sub-areas within a form or window-Related form fields (e.g.address information) are grouped together-Related report information (e.g.records) are grouped together
What do these lines of code mean for cookie values Response.Cookies["MultivalueCookie"].Values["Cookie1"] = "First cookie"; Response.Cookies["MultivalueCookie"].Values["Cookie2"] = "Second cookie"; Response.Cookies["MultivalueCookie"].ValueExpires = ExpdDate;
It is possible for a cookie to contain multiple values.
how common is sql injection?
It is probably the most common Website vulnerability today! It is a flaw in "web application" development, it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo "templates" are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough In OWASP tests over 60% of their clients turn out to be vulnerable to SQL Injection
The Eval() function is used in the context of a(n):
ItemTemplate
C#
Java-like object-oriented language
Principles of User Interface Design
Layout (Forethought) •Content Awareness (Relatedness) Aesthetics (Approach -Avoidance) User Experience (Flow) Consistency (Sameness) •Minimal User Effort (Easy)
C# Syntax for Creating a List of Things
List<Thing> things = newList<Thing>(); List<Thing> things Declaration:List class with <Thing> type parameter.By including <Thing> you are enforcing the rule that all elements of the list must be Thing objects. newList<Thing>(); InstantiationThis is the syntax for invoking the constructor. Also using the <Thing> type parameter specifier
Using Lists
Listis a class in the.NET framework• Implements a collection of objects• You can specify the type of object when declaring and instantiating a List variable by using type parameters.• Collection classes that involve type parameters are called Generic Collections. https://docs.microsoft.com/en-us/dotnet/standard/generics/collections
Which of the following, roughly, describes the Page Lifecycle:
Load -> PostBack Processing -> Render
Application State Management (aspx)
Maintain global data across all sessions for all users for a given web application •Can use global.asax file to initialize settings when the application first runs or perform cleanup when application terminates.
• ASP .NET
Markup language (like HTML and XML)- <asp: > tags are interspersed with HTML code
Multiple Interfaces
Microsoft Windows has multiple interfaces for the same functionality• Most users prefer to use Windows Explorer for handling files• Expert users sometimes prefer the command line interface•Experts: Dense UI -> Fast•Novice to Normal: Pleasant
least privilege
Minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts.
Interface Design Prototyping
Mock-ups or simulations of computer screens, forms, and reports• Four common approaches-Storyboard-Windows layout diagram-Language prototype - most detailed but most expensive
When binding a server control to a database datasource, the "DataTextField" property of the control serves what purpose?
Name of the column in the corresponding DataSourceId's query results to display in the control
In an SqlDataSource control, consider the following code. What is occurring here? ConnectionString = "<% ConnectionString:SalesConnection %>"
Nothing will occur except an error: The syntax for the connection string is not correct.
Consider the following code carefully. These two methods are present in the code behind for the same ASP.net web form. What will happen when I run this page? protected void Page_Load(object sender, EventArgs e){foreach (var num in ((int[])Session["IntVarArray"])){txtInput.Text += num + " ";}} protected void btnInput_Click(object sender, EventArgs e){int[] varArray = { 1, 2, 3, 4, 5 };Session["IntVarArray"] = varArray; }
Nothing will occur, because the page will experience a NullReferenceException in the Page_Load method.
Non-Functional Requirements
Operational Requirements-Technologies that can be used (e.g.GUI, mouse)• Performance Requirements-User interface speed and capacity• Security Requirements-Restricted user interface (e.g.an ATM machine)• Political & Cultural Requirements-Date formats, colors and icons
sql injection prevention cheat sheet
Option #1: Use of Prepared Statements (Parameterized Queries) Option #2: Use of Stored Procedures (not as good as parameters) Option #3: Escaping all User Supplied Input (not as good as option 1 or 2) Additional Defenses: Also Enforce: Least Privilege Also Perform: White List Input Validation
Why POST and Post Back?
Postback: Handy when sending data to Application Server (C#) to be processed, change the contents of web controls on a form, and send that very form right back to the client with updated data. without postback, nothing really happens https://www.c-sharpcorner.com/uploadfile/2f73dd/what-is-postback-in-Asp-Net/
what prevents cross site scripting
Recent versions of ASP.net prevent this But its still a good idea to account for Cross-Site Scripting • It is still a very popular means of attack. more information on cross site scripting PDF
Types of Validators
RequiredFieldValidator •RangeValidator CompareValidator• RegularExpressionValidator• CustomValidator• Others All Validator controls have two important properties:1.ControlToValidate2.Text
Examine the following partial line of ASP code. Its purpose is to _________________________________________. . . . .ConnectionString = "<%$ConnectionStrings:CustomerData%>". . . .
Retrieve the connection string's actual value from the Web.config file.
SQL Stored Scalar Function (Returns one value) (function = procedure)
SQL Server Object • Handy when you need to store a critical calculation in one place like the DB and not in your code behind. • Example • For days in a Fiscal Year - July 1 to June 30 • Practice for later: • Determine number of days in a month on your own (before Final Exam)
POST requests ______________________________, whereas GET requests _________________________.
Send FORM data to web server; receives data from web server.
Session and State
Session data for both pages will be seen by master and both pages during load as well as during event processing Viewstate for each page will be seen only by the page itself, and it's change will be shown only during the postback event-handling code.
Session vs. ViewState
Sessiondata is available to all pagesin an application. A session refers to the duration of time that the user is interacting with the web site.A session ends when the browser closes or after a period of inactivity (typically 20 minutes) ViewStatedata is available only to the page itself (between posts). The ViewState becomes available AFTER the page loads, during postback event processing.
Assume a Master ASP.net Page exists, and the following code is present in a Sub-Page that uses that Master Page as its main template. This page attempts to display a standard username and password login to a user. What is the most serious problem with the following code?
Since this is a Sub-Page, its contents will be combined with the Master page, causing an error, since this page contains full page tags already present in the Master page.
SQL injection
The ability to inject SQL commands into the database engine through an existing application Select Insert Update Delete Alter Drop Create
2) Interface Structure Design
The interface structure defines -The basic components of the interface-How they work together to provide functionality to users •Windows Navigation Diagrams (WND) show -how all the screens, forms, and reports used by the system are related -how the user moves from one to another
Password Based Key Derivation Fucntion 2 (PBKDF2)
This method of password hashing is slow by design (uses key stretching) ● Prevents against brute force attacks (using a GPU to guess different character combinations over and over until one works) ● MD5 is secure, but designed to be fast - susceptible to brute force attacks ● Large random "salt" values are created to make sure that each user's password is hashed uniquely (if 2 or more users have the same password, the computer won't be able to find the others because random characters have been added) ● With regular cryptographic hash functions (e.g. MD5, SHA256), an attacker can guess billions of passwords per second. With PBKDF2, the attacker can only make thousands of guesses per second (depending on the configuration). ● As always, security is most improved by users creating strong passwords and these processes are constantly changing !
IsPostBack Boolean Property
This property is used by ASP.net to determine if The page is being loaded and rendered to the client for the first time(its value will be false)orIf the page is being rendered againdue to a client postbackfrom itself(its value will be true) Handy uses: preventing repetitive DB calls and WebControl duplicated data.https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.page.ispostback?view=netframework-4.8
purpose of bootstrap
To apply styles to your website using Classes • Note: Do not use • inline styles • internal style sheets • external style sheets • Place sourcing references in master pages when you can
Output Design Basic Principles
Understand report usage-Ordering, grouping, real time, batch• Manage information load-Report what is needed, not necessarily what is available •Minimize bias
Example Use Scenarios
Use scenario: Check Account Balance•Customer inserts ATM card in the card slot•ATM asks the customer to enter the PIN•Customer enters the pin using the numeric keypad•ATM displays a list of possible actions•Customer selects "Check Account Balance"•ATM displays a list of the customer's accounts•Customer selects "Checking Account"•ATM displays the checking account balance Use scenario: Make a Checking Account Withdrawal•Customer inserts ATM card in the card slot•ATM asks the customer to enter the PIN•Customer enters the pin using the numeric keypad•ATM displays a list of possible actions•Customer selects "Make a Withdrawal"•ATM displays a list of the customer's accounts•Customer selects "Checking Account"•ATM asks customer to specify the amount of the withdrawal•Customer selects one of the amounts show on the screen or enters a different amount using the keypad.•ATM dispenses the money.
1) Use Scenario Development
Use scenarios outline the steps performed by users to accomplish some part of their work• A use scenario is onepath through an essential use case• Presented in a simple narrative description• Document the most common cases so interface designs will be easy to use for those situations
what does the value property of cookie do? Response.Cookies["PermanentCookie"].Value = "Here to stay for 2 days";
Value property of Cookie object allows string value.
The use of ViewState variables to maintain page state differs from the use of Session variables to maintain page state in that ______________________________________
ViewState uses hidden variables in the HTML, Session is stored in server memory.
What is POSTBack?
When an ASP.net form is posting backor submitting data backto the same page you're currently on. Common Uses: Logins, Saves, Submits (Things the client web browser/computer cannot do - like connect to your db) Buttons: These cause postback events automatically. Other Controls: Set the AutoPostBackproperty. auto postback allows drop down menus to trigger a postback event to the server like a button does
white list input validation
White list validation involves defining exactly what is authorized, and by definition, everything else is not authorized. O'Brian issue The OWASP Enterprise Security API (ESAPI) project. getValidDate() getValidSafeHTML() getValidInput()
Properties
accessors and mutators applied to private member variables
CompareValidator
an be used to perform various comparison operations. In this case we are comparing the data entered to a desired data type. We are ensuring that the user actually enters numbers for the price and quantity. if valid data inputted, the page will post to the server and the button's OnClick event handler will be triggered. if user puts wrong type of data into field, this validator kicks in. NOTE: in these cases, the page will NOT post. Validation checks are handled at the client, not the server.
SQL function example
create FUNCTION DaysInYear (@Date datetime) RETURNS int with execute as caller AS BEGIN Declare @currentYear datetime, @nextyear datetime, @daysinyear int RETURN @DaysInYear END
login store procedure example
create procedure SimpleLogin @UserName as nvarchar(50) @password as nvarchar(50) as begin set nocount on; (this prevents extra result sets from interfering) select username, password from simplecredentials where username = @username and password = @password; end
how to create a stored procedure
create procedure name as begin select productName, productCost FROM Product order by ProductCost desc; END
template to make sql triggers slide 3 on sql trigger pdf
create trigger [schemaName.]triggerName ON target_table [FOR | AFTER | INSTEAD OF] [INSERT | UPDATE | DELETE] AS BEGIN {SQL STATEMENT} END; Can also use an INSTEAD OF trigger. This will replace the attempted operation on a table with one of your own (less common)
Locations of data in web applications
databases and files = global between applications application variables = global between sessions, within an application session variables or cookies = global between pages, within session script variables = local within page in between script variables = URL parameters, input tags, viewstate, shared between sending and receiving pages
SQL Injection target audience
for good, not for evil
•Interface Design
formalizes the interaction of the system with external entities System Interfacesare machine-machine and are dealt with as part of systems integration •API (Application Programming Interface)• EDI (Electronic Data Interface)• ETL(Extract-Transform-Load for Data Flow) -User Interfacesare human to computer (and reverse!) and are our focus in IS Implementation
types of menus
http://www.wiley.com/college/dennis/0470074787/image_gallery/ch11/pages/fig_11_12.htm
types of messages
http://www.wiley.com/college/dennis/0470074787/image_gallery/ch11/pages/fig_11_13.htm
Types of Outputs
http://www.wiley.com/college/dennis/0470074787/image_gallery/ch11/pages/fig_11_19.htm
When adding a Web Form to your project, you are actually adding a(n) ____________________________________________.
instance object of a child class of the Page class.
rendering the full page
master page + content page (your web browser requests this page) = final page (and is served up this page; master and content pages are merged)
RequiredFieldValidatoris
used to ensure that required fields are not left blank. if valid data is inputted, the page will post to the server and the button's OnClick event handler will be triggered. if required field is left blank, this validator kicks in. NOTE: in these cases, the page will NOT post. Validation checks are handled at the client, not the server.
sql trigger
useful when you need some other SQL (either DDL [stucture alteration] or DML [data alteration]) to occur automatically these statements cannot be purposefully run / directly called from the application they cannot receive data from the application (no parameters) one they run, the changes are made (no commit or rollbacks)
Managed code
within the Common Language Infrastructure (CLI). Common Intermediate Language (CIL)is like Java's bytecode Common Language Runtime (CLR)islike Java's virtual machine Virtual Execution System (VES) is the "simulated CPU" upon which the CLR operates. Note: Visual C++ can compile into either managed or unmanaged code. Unmanaged code is compiled directly to the machine language of the CPU, and is not part of the CLR
Directives
• Preprocessing instructions that affect overall behavior of pagesand controls.• Directives have attributesthat you can set for affecting behavior• Syntax: begin with @symbol.....embed in <% %>tags with attributes:<% @Directive attribute1 = "value" attribute2 = "value" %>Example: See @Page directive at the top of your .aspx file
Parameterized URLs (REST)
• RESTful queries are often used for Web Services• Parameterized URL:- http://xxx.com?param1=value1¶m2=value2¶m3=value3 • The parameters can be obtained via the HttpRequest class's QueryString property.
Disadvantages of Cookies
•Browsers can be set up to disallow cookies •Cookies can only have string values •Because information is retained by passing to the client: -Larger bandwidth of information passing on network -Increased memory demand on client •Generally, the use of cookies are the "exception" not the "rule"
Session Variable Options
•Can be made cookieless: -This alleviates the issue of browsers not supporting cookies -If cookieless, the sessionID information is included in the URL (like a URL parameter) •Can be made to store in SqlServer database -This alleviates the issue of memory overutilization -But because it requires database access, it slows performance
Cookies (cookie examples on week 4 slides)
•Client-side state maintenance •Cookies can be: -In-memory (lost after user closes browser) -Saved to file (retained on client machine until expiration date) •Use cookies via: -Response.Cookies [Requests a cookie be created on the client machine -> Write] -Request.Cookies [Reads a cookie (if it exists) from the client machine -> Read]
Session State Management
•HttpSessionState class -Used to keep track of session information, including session variable values -Page class's Session property contains the Session information.
Inserting and Deleting Cookie Values
•Important property of the HttpCookie class: -Values: a collection of key/value pairs (instance of the NameValueCollection class). NameValueCollection: -A list of key/value pairs. A multivalued cookie has this collection - - Properties: •Count - gives total number of key/value pairs (total cookie values) •Item - index into the collection (returns the value of a particular item from the collection) •Keys - a list of all the keys -Methods: •Add (overloaded) - can add an entire list, or a single item •Remove - removes the item identified by key from the list
Windows Navigation Diagrams
•Like a state diagram for the user interface- Boxes represent components•Window•Form•Report•Button- Arrows represent transitions•Single arrow indicates no return to the calling state•Double arrow represents a required return- Stereotypes show interface type
Generics for Strong Typing
•Many collection classes (such as ArrayList) do not allow you to restrict what type of objects they contain. •This could cause errors in the program; you can't control what gets into the collection. Genericcollection classes allow you to specify the types of objects that will be allowed in the collection (strong typing). This is done by specifying a type parameter when declaring an instantiating the collection object
Disadvantages of Application State Management
•Memory resource utilization on server •Requires locking to prevent session pages for manipulating data if undesired •Global variables è accessible to all
Input Design Basic Principles
•Online versus Batch processing-What is the difference? •Capture data at the source -What does this mean? •Minimize keystrokes-How do we do this?
Disadvantages of StateBags
•Only works within a single page. -Other pages of the session won't retain the value -If user goes to another page, and then back to original page, values are lost •Because information is retained by passing to the client: -Larger bandwidth of information passing on network - Increased memory demand on client
Navigation Design Basic Principles
•Prevent mistakes• Simplify recovery from mistakes• Use consistent grammar order -object-action or action-object
Disadvantages of Session State
•Server memory utilization •Security issues à hackers may be able to obtain session information; SSL would help prevent this •If Web Farm is used, session variables won't scale. Need to have dedicated machine for all session variables (Running Facebook for example) •Session variables require memory cookies enabled (by default)...some browsers may be set up not to allow this.
Managing State
•State = memory of application's configuration over time...maintained by variables and files. -Most programs regularly maintain state, BUT •The Web is Inherently Stateless -One page is unaware of what goes on in other pages -At any point in time, there is no memory of what happened at previous times -A web script's variables are either local (variables of a function) or script-scope (variables for the whole script)...in either case, these variables do not exist when the page is exited.
. Page State Management
•StateBag class -The class of state information for a page -StateBags consist of StateItems, identified by key values -Important properties: Count, Item, Keys, Values -Important methods: Add, Clear •Page class's ViewState property -An instance of the StateBag class -Contains all ViewState objects for the page •In essence, this is a mechanism for storing data values in a hidden HTML input tag. (_VIEWSTATE)