User manual PROGRESS SHADOW Z-ENTERPRISE WEB SERVER ADMINISTRATION GUIDE V5

[. . . ] Z/ENTERPRISE WEB SERVER Administration Guide Version 5 Copyright © 2008 Progress Software Corporation. Progress® software products are copyrighted and all rights are reserved by Progress Software Corporation. This manual is also copyrighted and all rights are reserved. This manual may not, in whole or in part, be copied, photocopied, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Progress Software Corporation. [. . . ] (This is a normal end-of-transaction transmission process. ) The "Set-Cookie:" response consists of a name and value pair. The name is derived by prefixing the state information set name you assigned with the speciallyrecognizable string, "SWSSTATE_". The value is a representation of your application's data in encoded form. The Web browser re-transmits this name and value pair back to the server in an HTTP "Cookie:" request header. As part of request parsing, the server checks all inbound "Cookie:" headers for the special string prefix "SWSSTATE_". If found, the server re-constructs the original set of information saved by your application. Benefits of Using Cookies HTTP cookies are the most versatile transport mechanism because of the following: The browser can send them whenever it accesses your host domain and the specific or general URL path within it. (Your application-generated HTML or hyperlinks do not need to be preset into the browser's window for this to occur. ) HTTP cookies can be made persistent. Browsers can continue to send the cookies, even when the browsers contact your site infrequently. Considerations The COOKIE-type of information set is ideal for saving user profile information or other non-sensitive data. Because your application's data is actually transmitted to and from the browser, the following rules exist: You must ensure the data's validity, since it can easily be spoofed or altered. You should avoid storing sensitive value data at the browser unless using SSL communications sessions to/from a browser that is in a secured location. 9-14 Shadow z/Enterprise Web Server Administration Guide The "Official" HTTP Cookie Specification Using CTOKENS and FTOKENS Use CTOKEN-type or FTOKEN-type information sets instead of COOKIE-type sets if you meet any of the following criteria: You need a short-term, server-controlled time limitation. You want to retain sensitive data only at the server. Creating a COOKIE-type Set The following example uses Shadow/REXX statements to create a COOKIE-type information set named "EMPDATA" and saves profile data into the set: GLVSTATE. EMPDATA GLVSTATE. EMPDATA. VALUE. NAME GLVSTATE. EMPDATA. VALUE. TITLE GLVSTATE. EMPDATA. VALUE. PRODUCT GLVSTATE. EMPDATA GLVSTATE. EMPDATA. VALUE. NAME GLVSTATE. EMPDATA. VALUE. TITLE GLVSTATE. EMPDATA. VALUE. PRODUCT = = = = = = = = 'NEW(COOKIE)' /* Create COOKIE-type set */ 'John F Fields' 'Product Author' 'Shadow Web Server' 'NEW(COOKIE)' /* Create or re-initialize */ 'John F Fields' 'Product Author' 'Shadow Web Server' The "Official" HTTP Cookie Specification HTTP cookies, originally invented by Netscape to maintain persistent client state information, were implemented in Netscape's 2. 0 release. Although these specifications were never officially adopted by the Internet's standards organizations, they have been widely adopted by all modern Web browsers and Web servers. Attempts to define an official standard for HTTP cookies have not been successful; thus, Netscape's specification remains the de facto standard. (See Cookie I-D Drafts for a list of the many revisions to the "official" RFC2109 HTTP cookie specification. ) To open a separate window describing Netscape's original HTTP cookie specification, point your Web browser to the following address: http://home. netscape. com/newsref/std/cookie_spec. html. We strongly suggest you familiarize yourself with this specification if you intend to use HTTP cookies as a transport mechanism for application state information. Comments and suggestions for the use of HTTP cookies in Shadow z/Enterprise Web Server refer to the Netscape specification. Possible Anomalies Although the Automated State Management Facility (ASMF) provided by Shadow z/ Enterprise Web Server normally hides all the details of working with HTTP cookies, your application must be designed to appropriately use cookies. Failure to take into account how Web browsers support and use HTTP cookies could result in some or all of the following anomalies: No cookies are returned by the Web browser for any applications' URLs, contrary to what was anticipated. Shadow z/Enterprise Web Server Administration Guide 9-15 Automated State Management Facility (ASMF) Cookies are returned by the Web browser for some applications' URLs but not for others, contrary to what was anticipated. The inbound cookies are transmitted or omitted in what seems to be a random pattern. Duplicately named cookies are sent by the Web browser for certain applications' URLs but not for others. The cookies are sent in a seemingly random fashion. Making HTTP Cookies Work Reliably Normally, anomalies arise because of MVS-centric thinking when authoring both static HTML pages and dynamic applications. To minimize anomalies, authors must base their developments on the fact that the Internet was originally devised and operated solely on UNIX-based platforms. Keep the following points in mind: Most Internet URLs, like the UNIX file system, are normally formed as a hierarchal directory and sub-directory path, with a filename specification at the end. [. . . ] LANs are representative these G-10 Shadow z/Enterprise Web Server Administration Guide TCP/IP Architecture networks. Protocols such as ARP, ProxyARP, RARP, BooP and DHCP are used with it. Multiaccess nonbroadcast networks Again, any host can have multiple connections to other host simultaneously; however, there is not a single messaging command that communication with all the hosts simultaneously. Examples of this type of network are X. 25, Frame Relay, and AnyNet Sockets over SNA. [. . . ]