Syllabus for Building Web Applications
[ Course Home | Course Description ]
Books referred to below:
- HDH: Shiflett, Chris. 2003. HTTP Developer's Handbook. Indianapolis: Sams.
- WDA: Lane, David, and Hugh E. Williams. 2002. Web Database Applications with PHP & MySQL. Sebastopol: O'Reilly and Associates.
Week 1 - The World of Web Applications
Topics:
- The fundamental characteristics of web applications: distributed, stateless underneath, constantly on guard
- Tradeoffs involved in development: fast/cheap/good; caching: accuracy vs. speed; uptime and scalability: cost vs. risk * problem; abstraction: portability (and understanding) vs. speed (and understanding); convenience vs. security
- What HTTP messages look like: request/response; different methods; form & cookie headers; how SSL fits into the picture; how web servers can talk to different backend servers to produce a response (DB, SOAP, etc.)
- Axes for interactivity and personalization: time, geography, profile data, activity history
- Contrast PHP with other web application platforms such as ASP.NET and J2EE
- Review CS facilities and what is set up for student use
Readings:
- HDH Chapters 1 - 4
- WDA Chapters 1 - 2
- CS facilities handout
Homework Assigned:
- Handout 1 (Build a small site with PHP)
Week 2 - Great and Powerful Oz: the Relational Database Management System
Topics:
- What you get from a relational database (ACID, SQL) and what it costs (time, money)
- Some typical relationships in a web app: users, profiles, messages; content and metadata; products and orders
- Accessing the database from PHP with PEAR DB
- Common techniques: Sorting and ordering in the DB (not in PHP), combining queries in a page, memoization
- When to use indexes
Readings:
- WDA Chapter 3 and Appendix C
- Chapter 2 of SQL for Web Nerds by Philip Greenspun
Homework Assigned:
- Handout 2 (Adding a database to your Week 1 site)
Week 3 - Interactivity and Forms
Topics:
- Making forms friendly: validation & error messages; preserving defaults
- Introduction to cross-site scripting
- Using the HTML_QuickForm package for easier form generation
- Guarding against repeat form submission
- Uploading Files in forms
Readings:
- WDA Chapter 5
- HTML_QuickForm chapter from Essential PHP Tools by David Sklar (in progress; Apress 2004)
- Nebel, E., and L. Masinter. 1995. "RFC 1867: Form-based File Upload in HTML"
Homework Assigned:
- Handout 3 (Adapt Week 2 site to use HTML_QuickForm)
Week 4 - Statelessness and Related Political Problems
Topics:
- Cookies: how they work and how to use them from a web app; overcoming a fear of cookies and coping without cookies.
- Sessions: how they work and how to use them; what problem they solve; using sessions without cookies; using different session storage backends
Readings:
- HDH Chapters 11 - 13
- WDA Chapter 8
- PHP Manual Chapter 17: "Cookies"
- PHP Manual Function Reference Section 93: "Session handling functions"
- Kristol, D., and L. Montulli. 2000. "RFC 2965: HTTP State Management Mechanism"
- Netscape Corporation. "Persistent Client State: HTTP Cookies"
Homework Assigned:
- Handout 4 (Stateful Quiz System)
Week 5 - Users
Topics:
- Account creation and signup
- Verification and multi-page data gathering
- Distinguishing between forgetful users and persistent attackers
- Storing encrypted passwords
- User-specific activity: logging, presenting data
- User privacy: making sure their expectations match your actions, handling data appropriately.
Readings:
- WDA Chapter 9
- Andersson, Eve, Philip Greenspun, and Andrew Grumet. 2003. Internet Application Workbook. Chapter 5
Homework Assigned:
- Handout 5 (Making the Quiz System User-aware)
- Internet Application Workbook Chapter 5, exercise 2
Week 6 - The Big Picture: Application Architecture
Topics:
- Separating design and logic
- Templating: Smarty, using PHP as a templating language
- Frameworks: Model-View-Controller, Model 2
Readings:
- Smarty Chapter from Essential PHP Tools
- Sweat, Jason E. 2003. "Industrial Strength MVC." php|architect June 2003
- Smarty Crash Course
- Phrame Users Guide
- Singh, Inderjeet, Beth Stearns, Mark Johnson, et al. 2002. Designing Enterprise Applications with the J2EE Platform. Section 4.4, "Web Tier Application Design", Section 11.1.1 "Model-View-Controller Architecture"
Homework Assigned:
- Handout 6 (Quiz System with Smarty and Phrame)
Week 7 - Security
Topics:
- The different goals of "security": verifiying communication endpoints, verifying communication contents, and protecting communication contents.
- Being paranoid about external input, which requires broad definitions of "external" and "input": avoiding cross-site scripting and injection attacks.
- Using cryptography wisely: one-way hashes, preventing tampering. When is passphraseless public-key encryption useful?
- Using SSL
- A nod to system administration security issues
Readings:
- HDH: Chapters 18, 22, 23
- Wheeler, David. 2003. Secure Programming for Linux and Unix HOWTO. Chapters 5, 7 - 11.
- Cryptography FAQ. Chapter 6
- Sklar, David and Adam Trachtenberg. 2003. PHP Cookbook. Sebastopol: O'Reilly and Associates. Chapter 14.
Week 8 - XML, Web Services and Other Buzzwords
Topics:
- Why these technologies are useful
- Storing, retrieving, and parsing XML
- Consuming a SOAP or XMLRPC web service
- Producing a SOAP or XMLRPC web service
Readings:
- HDH: Chapter 25
- Cerami, Ethan. 2002. Web Services Essentials. Sebastopol: O'Reilly and Associates. Section 1.2, 1.3, 1.4; Chapters 2, 3, 6.
- Trachtenberg, Adam. 2003. "A PHP Web Services Client". ONLamp.Com.
Week 9 - Caching: Time vs. Space
Topics:
- Determining what can be cached and for how long (from seconds to infinity)
- Implementing your own caching layers vs. using application's caching layers
- Reverse proxies
- The merits of caching in memory, disk, or database
Readings:
- HDH Chapters 14 - 16
- Widenius, Michael, and David Axmark. 2003. MySQL Reference Manual. Section 6.9.
- Barroso, Luiz André, Jeffrey Dean, and Urs Hölzle. 2003. "Web Search For a Planet: The Google Cluster Architecture". IEEE Micro.
Week 10 - Traffic Analysis and Performance Testing
Topics:
- The different goals of traffic analysis: technical information, marketing information, editorial information; what kind of analysis makes sense for each
- Logging options and what to log
- Analysis with analog
- Performance Testing with Microsoft Web Application Stress Tool or ApacheBench
- Logging with Spread
Readings:
- Haigh, Susan, and Janette Megarity. 1998. "Measuring Web Site Usage: Log File Analysis". National Library of Canada Network Notes 57.
- Turner, Stephen. 2003. "How the web works".
- "Stress Tools to Test Your Web Server". Microsoft Knowledge Base Article 231282.
Week 11 - The Human Element (Part 1): Interface Design and Usability Testing
Topics:
- The problems with users: they don't read, they expect consistency (except when it bothers them), they think differently than developers
- Making site organization user-centered, not organization centered
- Using paper prototypes
- Getting the most out of low-key testing
- How to observe and run a simple usability test.
Readings:
- Spolsky, Joel. 2001. User Interface Design for Programmers.
- Neilsen, Jakob. 2003. "Paper Prototyping: Getting User Data Before You Code (Book Review)"
- Neilsen, Jakob. 1996. "Top Ten Mistakes in Web Design".
- Neilsen, Jakob. 1999. "Top Ten New Mistakes of Web Design".
Week 12 - The Human Element (Part 2): Collaborative Development
Topics:
- The different roles required for building a web app
- Using a version control system and bug tracking system
- Making these tools mirror your human processes, not the other way around
- Automated testing and deployment.
Readings:
- Blandy, Jim. Undated. "Learning to use CVS".
- Sklar, David. 1998. "Using CVS for Collaborative Web Site Development".
- Spolsky, Joel. 2000. "Painless Bug Tracking".
- Spolsky, Joel. 2001. "Hard-assed Bug Fixin'".
Week 13 - The Physical Element: Network Design & Data Center Security
Topics:
- Constrain your paranoia by evaluating your risk: cost of solution * likelihood of problem <= cost of problem
- Calculating the cost of downtime
- What good and bad things can happen when other people have physical access to your computers
- Building internal and external networks
- Who do you trust: yourself, your employees/partners/coworkers, contractors, data center neighbors?
Readings:
- Garfinkel, Simson, Alan Schwartz, and Gene Spafford. 2003. Practical Unix & Internet Security, 3rd Edition. Sebastopol: O'Reilly and Associates. Chapters 8 and 9.
- Friedman, Seth. "Building the Ideal Web Hosting Facility: A Physical Security Perspective".
Final Project
Build a web application that has the following characteristics:
- Users can create and modify accounts
- Logged-in users have different capabilities than anonymous users
- Users can contribute data to be displayed by the application
- The application uses data from at least one external [other than users or present when the application is built] source
The application should use a templating system and a design paradigm like MVC that separates core business logic, display formatting, and interface logic.
In addition to the application's source code, submit a write-up that details the security and scalability problems the application does and does not solve. What are ways that the application prevents attacks? To what kinds of attacks is it open? On what axes does the application scale simply or elegantly? On what axes does the application scale poorly or expensively? For each security or scalability shortfall of the application be sure to include a discussion of why the problem isn't solved due to cost, complexity, time, insignificant risk, or other reason.
A 2 - 3 page proposal outlining the term project is due at the start of Week 7. The proposal should include the general area of the project (such as a photo album, message board, dating service), the features of the project that will satisfy the list of characteristics above, and a preliminary database schema.
Supplemental Bibliography
- Box, Don, et al. 2000. "Simple Object Access Protocol 1.1 Specification".
- Cederqvist, Per, et al. 2003. Version Management with CVS.
- Christensen, Erik, et al. 2001. "Web Services Description Language 1.1 Specification".
- Curphey, Mark, et al. 2003. The Open Web Application Security Project Guide to Building Secure Web Applications.
- Gourley, David and Brian Totty. 2002. HTTP: The Definitive Guide. Sebastopol: O'Reilly and Associates.
- Meier, J.D., Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan. 2003. Improving Web Application Security: Threats and Countermeasures Roadmap. Redmond: Microsoft.
- Snyder, Carolyn. 2003. Paper Prototyping: The Fast and Easy Way to Design and Refine User Interfaces. San Francisco: Morgan Kaufmann.
- Turner, Stephen. 2003. Analog Documentation.
- Winer, Dave. 2003. "XML-RPC Specification".