 |
|
 |
|
|
 |
|
|
 |
|
|
|
|
|
|
 |
|
|
 |
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
Controls in web-based Applications |
|
|
|
Controls are needed in web-based applications to:
- to protect the system and data against unauthorized and inappropriate use
- to safeguard the privacy interests of the organization and users of the system
- to ensure that transactions are properly completed
The first two fall under the category of security and the last relates to transaction integrity. |
|
|
|
Security concerns Electronic transactions involving sensitive data (personal information, credit card information, etc.) requires a significant amount of
trust between the parties involved There are two broad aspects to this issue
- the safety of the data during the communication between the browser and server. For example, the safety of a credit card number that is sent from the browser to the server when a form is submitted.
- the safety of the data once it reaches the destination. For example, once the credit card number reaches the server, what steps are taken to protect it - prevent unauthorized access from within the organization
and from outside the organization?
One aspect of developing and maintaining this trust is controls built into web-based applications. This is essentially a technical matter and will be addressed in this section. The other aspect is a matter of policy
and reputation, which, while important, is beyond the scope of this section. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Transaction integrity The basic sequence of events that take place in typical web-based applications is depicted in the figure below. |
|
|
 |
|
 |
|
 |
|
 |
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
 |
|
 |
|
 |
|
|
|
 |
|
|
 |
|
|
Web-based transactions have the following characteristics:
- Stateless or Connetionless:
There is no continuous link between the server and client. Consequently, the server has no way of knowing when and if the client is going submit another
request. This state has to be maintained artificially within the program.
- Document requests are independent
. The sequence of activities required to complete a task are independent events. Thus, if the sequence includes: submit a form, view summary, and view
detail, the relationship between these events must be maintained within the program.
- Dependence on network
. This results in delays and broken connections that must be taken into account.
|
|
Consider the following scenarios:
- A user is required to login to a system before utilizing the resources available. How is the login status determined and maintained? What happens if the user logs in and does nothing
(goes out to lunch, gets a call from the boss)? How is the "session" maintained and terminated?
- An online sale requires several steps to be completed. Each step requires completing a form. So, the first form (product information) is completed, which results in a second form to be
displayed. The second form (billing information) is completed that results in the third form. The third form (confirmation) is completed and the transaction is executed. What if the
user does not complete the second or third form? How is the status of the transaction determined and maintained?
- An online sale of some software is completed. The user is downloading the software and there is a problem (server, network, client) that prevents the completion of the download. How does
the user get another copy? How does the software firm verify that the user purchased a copy and did not receive it?
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
 |
|
|
|
| © 1999 , Simha R. Magal | Feedback | |
|
