Raw Web Programming FAQ

This assignment asks you to write a Web program. At this point in the course, the purpose of this assignment seems unclear. Once the assignment has been handed in, we'll introduce an entirely new way of programming the web which is intimately linked with one of the fundamental ideas in programming languages. By completing this assignment now, you'll be better prepared to appreciate this idea when we introduce it in class.

Your Web program should run on the department's server [1]. CGI (the Common Gateway Interface) is the simplest Web programming protocol and you are required to use it for this assignment [2]. Turn in the source code of your Web program, as well as a URL (Web address) that the graders can use to test it.

Although this program is quite simple, it is representative of the core of much larger Web software (just like the interpreters we write in this course are themselves quite lean, but represent the core of large programming languages).

Some Web applications depend on having a usable email address for each user. A calendar manager, for instance, might send event reminders to that address. Because it provides no means of verifying the user's actual identity, an email address is not a sufficient form of authentication for Web programs. There are two common ways that Web programs handle this problem. The first involves using a secure password authentication system. The second, which is the one that you'll use in this assignment, works as follows:

  1. the user visits a Web page;
  2. the page contains a form with a single data entry field;
  3. in that field, the user enters an email address;
  4. the application sends an email message to that address;
  5. the message contains a URL (we'll call this the key URL);
  6. the user visits the key URL [3];
  7. this confirms to the Web application that the user entered a valid email address, and the rest of the application can commence.

We want you to implement such a email checker. The "rest of the application" should just print a message that includes the user's email address and says that that email address has registered successfully. You do not need to check for duplicate registrations. Your program should not, however, successfully register someone who does not visit the key URL!

The validation process should be reasonably secure; for instance, if you simply put the email address in the URL, then it becomes easy for a malicious user who notices the pattern to infiltrate your database of registered users with bogus email addresses. On the other hand, if the malicious user is required to guess a random number, that's secure enough. Also, you don't need to worry about the user visiting the key URL multiple times. And because of the restrictions imposed by our department's system, you can use world-writable files for storing data.

This application does raise issues of resource management: a malicious user could fill your entire database with initial requests, but not complete any of them (and not even have to bear the consequences of his action by entering a bogus email address). A real Web application would protect against such behavior. You don't have to, but it's okay if you do, e.g., by using timeouts. That is, if the user takes longer than (say) three days to visit the key URL, the program can report that the URL is no longer valid and the user must start afresh (if you do use timeouts, make them at least a day long). Likewise, this application doesn't need to be highly fault tolerant. If someone is attacking your server, you may need to restart it; doing so may expire recent key URLs. That's okay. Just tell the user to restart the registration process.

[1] You are permitted to run CGI programs on the department's internal network. Put your CGI programs in /pro/web/cgi-bin. They should have world readable and executable permissions (chmod 755 program-name). Your programs will only work on the department's internal webserver (make sure to use web-int as the hostname; localhost and www.cs.brown.edu will not work).

[2] CGI being about the Web, there's no shortage of documents about it on the Web. Here's the default reference.

[3] Note that you can't substitute the key URL with a generated key that the user must enter into a Web page. We really want an interface where you generate a single key URL, visiting which is all the user needs to do to notify the application that the email address is valid. (If you can build the former, it's not much more work to write the latter.)

FAQ

  1. The assignment says that the key URL needs to be reasonably secure. Should I generate a new Web program (using a reasonably secure method to generate the filename) for each key URL?

    Although you may use this method, there's an easier (and much nicer!) way to do it. You should write a single Web program, which takes in a reasonably secure key as an argument. The Web program can then query the database for the key and complete the rest of the process appropriately.