Ecommerce

1
E-commerce

• Lecture 16
• Midterm Post-mortem
• Cookies, Session Variables
• DDOS

2
Infrastructure Security Midterm Statistics
Mean 84
3
Infrastructure

• Problem 1
• Read only, Execute, Local recordset
• COLLISIONS throw exception to client if needed
• Problem 2
• Client to Server, Server to ASPX.DLL, ASP service
  to ADO.NET, DB response to server, server to
  client (in HTML)
• DIAGRAM

4
Infrastructure (cont)

• Problem 3
• First is plain HTML (no postback info lost)
• Second is Web Server Control (w/ postback)
• Problem 4
• Via Class definition, properties, instantiate
  object of class (via reference)
• Problem 5
• Shopping cart, catalog, site map, look-feel,
  contact information, checkout, advertisements,
  hooks

5
Infrastructure (cont)

• Problem 6
• Give EXAMPLE

6
Security

• Problem 1
• Server (reduce services, patches, access, OS)
• Client (education, firewalls, virus protection)
• Network (encryption, noise, VPN)
• Problem 2
• Symmetric same key for crypt decrypt
• Asymmetric key pair (public private)
• Advantages reduced keys, no initial comm.

7
Security (cont)

• Problem 3
• Key Distribution Center(Public Key
  Infrastructure)
• Key authorities (certificates)
• Problem 4
• Digital signatures w/ message digest function
• Problem 5
• Birthday ZIP code 1/8 (1/5-1/10)

8
Security (cont)

• Problem 6
• Updates patches
• Scans for existing services
• Recommends updates, settings
• Generates reports
• Problem 7
• Keeps CC info private bank vs. merchant
• Problem 8
• List all elements (sandbox, bytecode verifier,
  class loader, security manager)

9
Onto Greener Pastures
10
Storing Information

• Often, wed like to save information about a
  client-server session
• Has the visitor been to the site before
• Identification
• What are their preferences
• Shopping cart information, etc.

11
Cookies!

• We can store information on the client machine
  (or in the clients memory) via cookies

12
What is a Cookie?

• Simply a name/value pair
• Think of them as variables
• UserIDjonpreston
• The character separates the name from the
  value

13
Making Cookies

• HttpCookie class
• Dim Oreo as HttpCookie
• Oreo New HttpCookie(NAME, VALUE)
• This creates a temporary (in memory) cookie
  stored in clients memory

14
A Whole Batch of Cookies

• A cookie file can containmultiple name/value
  pairs
• Must name the cookie collection
• Then provide name/value pairs

15
Writing Multiple Cookies

• Dim LoginCookie As HttpCookie
• LoginCookie New HttpCookie(CCSU")
• LoginCookie.Values.Add("username",Jon Preston")
• LoginCookie.Values.Add("password",12345")
• Response.Cookies.Add(LoginCookie)

16
Accessing Cookies

• You can read the value of a cookie quite easily
• Request.Cookies(C_NAME)(NAME)

17
Stale Cookies

• The most tasty cookies are
• Temporary cookies
• Only stored within the browsers memory
• Stale cookies stay around longer
• Persistent cookies
• Stored within the client machines HD
• Live from session to session

18
Writing Cookies to the Client Making them
Persistent

• Dim MyCookie As New HttpCookie("LastVisit")
• Dim now As DateTime DateTime.Now
• MyCookie.Value now.ToString()
• MyCookie.Expires now.AddHours(1)
• Response.Cookies.Add(MyCookie)

19
The Cookie Jar

• On Win 95/98 machines, cookies live in
• C\Windows\Temporary Internet Files
• You might have to dig around a bit there could
  be a bunch of junk in there!

20
Cookies a Two-Phase Process

• Store the cookie on the client machine
• Retrieve the cookie on the server utilize
• Useful for keeping info
• Want to keep all info in cookie?

21
Interesting Facts about Cookies

• Each cookie can only hold a maximum of 20
  name/values
• Oldest name/value pairs are dropped
• The maximum size of a cookie is 4096 bytes
• The maximum cookies per machine is 300

22
Security and Cookies

• Cookies expire and are removed from your system
• Cookies can only be read by the server that
  created the cookie
• But

23
Security Holes

• It is possible for other sites to hack into other
  sites saved cookie information on your machine
  using a malformed URL
• Microsoft released a patch to IE 5.01 on 5/18/00
  to fix this security problem

24
Rats in the Cookie Jar

• What if Web sites agreed to work with a third
  party?
• I could place an image tag in my html that loads
  a file and cookie from another site
• This site could then read/set cookie info

25
Targeted Marketing on the Web

• Some companies are designed to track your comings
  and goings on the web
• Doubleclick
• Focalink
• Globaltrack
• ADSmart
• They offer tailored banner ads based upon sites
  youve visited (user profile)

26
Exterminating the Rats

• Empty and change the attributes of the offending
  cookie file
• Disable cookies(IE options)

27
The Reality of Cookies

• You cant get a virus from cookies on your
  machine
• Size limit of the cookie helps a bit
• The real issue is privacy, anonymity, and whether
  you want information stored onto your computer

28
Loss of Control

• Clients can edit, remove, disable cookies
• Why not keep info stored on the server
• Use session variables
• ID sessions based upon temp (in memory) cookie
  expire quickly (ltsessionState timeoutXgt in
  web.config default 20)
• Downside scalability server memory

29
Reading/Writing Session Variables

• Session.Contents(uname)Jon
• Session(uname)Jon
• nameLabel.text Session(uname)

30
Intermission