WebFund 2014W: Tutorial 3: Difference between revisions

From Soma-notes
No edit summary
Undo revision 19747 by Soma (talk)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
In this tutorial you will examine [http://homeostasis.scs.carleton.ca/~soma/webfund-2014w/session-demo.zip session-demo], a simple node express application that demonstrates session support.  You will need to use the browser and node debugging tools described in the [[WebFund 2014W: Tutorial 2|last tutorial]].
In this tutorial you will examine [http://homeostasis.scs.carleton.ca/~soma/webfund-2014w/T3/session-demo.zip session-demo], a simple node express application that demonstrates session support.  You will need to use the browser and node debugging tools described in the [[WebFund 2014W: Tutorial 2|last tutorial]].


In this tutorial you should do the following:
In this tutorial you should do the following:
* Get [http://homeostasis.scs.carleton.ca/~soma/webfund-2013f/session-demo.zip session-demo] running.
* Get [http://homeostasis.scs.carleton.ca/~soma/webfund-2014w/T3/session-demo.zip session-demo] running.
* Try logging in to the app using two different browsers (e.g., Firefox and Chrome).  What happens when you logout from one browser - how does it affect the other?
* Try logging in to the app using two different browsers (e.g., Firefox and Chrome).  What happens when you logout from one browser - how does it affect the other?
* Observe the request and response for the app's home page (http://localhost:3010).  Look at both the network panel (load the page ''after'' selecting the network panel) and the HTML DOM view (Inspector/Elements)
* Observe the request and response for the app's home page (http://localhost:3000).  Look at both the network panel (load the page ''after'' selecting the network panel) and the HTML DOM view (Inspector/Elements)
* Observe the contents of the form submit POST request: how much data is sent to the server?  Observe it both from the browser side (to see what is sent) and inside of node, particularly where the POST results are returned.
* Observe the contents of the form submit POST request: how much data is sent to the server?  Observe it both from the browser side (to see what is sent) and inside of node, particularly where the POST results are returned.
* The session state is stored in the browser.  Can you figure out the user's username from this information?
* The session state is stored in the browser.  Can you figure out the user's username from this information?
Line 10: Line 10:




To get checked off, show a TA the following using the browser and server debugging tools covered in the last tutorial (or similar tools):
To get checked off, show a TA the following:
* A session cookie sent by the browser
* A session cookie sent by the browser
* A session cookie stored on the server (persistently)
* A session cookie stored on the server


Questions to ponder:
Questions to ponder:

Latest revision as of 16:54, 31 January 2015

In this tutorial you will examine session-demo, a simple node express application that demonstrates session support. You will need to use the browser and node debugging tools described in the last tutorial.

In this tutorial you should do the following:

  • Get session-demo running.
  • Try logging in to the app using two different browsers (e.g., Firefox and Chrome). What happens when you logout from one browser - how does it affect the other?
  • Observe the request and response for the app's home page (http://localhost:3000). Look at both the network panel (load the page after selecting the network panel) and the HTML DOM view (Inspector/Elements)
  • Observe the contents of the form submit POST request: how much data is sent to the server? Observe it both from the browser side (to see what is sent) and inside of node, particularly where the POST results are returned.
  • The session state is stored in the browser. Can you figure out the user's username from this information?
  • What does the req.body and req.session look like just before a page gets rendered?


To get checked off, show a TA the following:

  • A session cookie sent by the browser
  • A session cookie stored on the server

Questions to ponder:

  • Who can observe the cookie? Modify it?
  • How "persistent" are sessions on the server? The client?
  • How could you "hijack" a session? Does the difficulty of session hijacking relate to whether a login is password protected or not?