WWW: Beyond the Basics

12. Common Gateway Interface

12.3. Issues

12.3.1. Security

12.3.1.1. Malicious Attacks

Whenever a server is operating on a computer, that server can provide potential security leaks. If a server is providing read-only access to a set of documents, there is some possibility that documents may be read by people for whom the documents were not intended. If a server provides write access, then the computer is opened up to many more security threats. It is when a server provides the ability to run programs on the host computer that the worst consequenses can arise, unless the server is adequately protected.

12.3.1.2. Authentication and CGI Applications

There are two important steps to maintaining a certain level of security within a World Wide Web site -- authentication and authorization. Authentication is how a server identifies users and makes sure that they really are who they say they are (see Chapter 18). Authorization is the process of determining to which documents an authenticated user has access.

Often, in the context of the World Wide Web, authentication is provided by a simple name/password combination. When a user enters a protected site, the server asks the user's WWW client for authentication. The WWW client then asks the user for a name/password combination, which it then sends back to the server. If the combination is a valid one, the user is authenticated, and can then be authorized to access the server's documents. Each time the authenticated user makes a request for a protected document, the name/pasword combination is resubmitted by the client to the server.

Servers can also provide authorization protection for specific documents or for sets of documents within the server document space. For example, all of the contents of a directory on a server can be assigned a list of authorized users, who must properly be authenticated before they can access the directory; all users who fail authentication will be denied access.

To provide a bit more flexibility with document control, authorization can be left up to a CGI application. When an authenticated user accesses a CGI application, an environment variable is set which provides the name of the user to the CGI-app; the CGI-app can decide whether or not to provide access to the user. In addition, a CGI application that generates complex WWW pages can present different pages to different users, as long as they are authenticated. A WWW site can keep a list of preferences or configuration details for each user and apply these preferences to the page generation methods of the site.

12.3.2. Language

There are many points to consider when choosing a language to use when developing CGI applications. Here is a list of some of them:

12.3.3. Performance

For World Wide Web sites that serve mainly static document requests, the performance bottleneck is often the server's network connection. It doesn't take much time or computational power to read a file from a hard disk, but it does take some time to send that file over a slow network connection. As servers gain faster and faster network connections, the source of congestion may not be the network.

This is especially true on WWW servers that provide many dynamically produced documents. In this case, to serve one client request, it takes much more time and effort than it does to simply read a file and return it. When running a CGI application, the system needs to start a new process, execute the code (which could be complex), collect the results, and then return them. If the CGI-app is a gateway to a second application, say, a database, then there may be much time spent by the second application to provide any data needed by the CGI-app. While CGIs increase the flexibility of a server, they can significantly decrease the server's performance.

[PREV][NEXT][UP][HOME][VT CS]

Copyright © 1996 J. Patrick Van Metre, All Rights Reserved

J. Patrick Van Metre <vanmetre@csgrad.cs.vt.edu>
Last modified: Sat Oct 26 13:26:04 1996