Web Based Session Creation

Context: Many typical Web applications like E-commerce shopping applications need to identify different users and maintain user data within a session. A Session is a series of requests that occur during a time-period from the same user. The stateless nature of the HTTP protocol, which is employed for communication, means that the Web appli- cation should handle the state information. Basically, a Web server handles each request independently from each other and does not have any knowledge about the preceding requests from the same user. To overcome the problem, Web applications should imple- ment a session management policy. This session management policy should guarantee that all user interactions could be managed coherently in a session. To manage a session, a server should save traces of user requests temporarily and maintains the session state of each user. Above all, a server should identify the user who sends a request.

Problem: How we should develop an effective session management policy in Web appli- cations?

Forces:

1. HTTP is a stateless Protocol.

2. The Web server has no control over the Web clients’ behaviour.

3. Web applications are usually dealing with more than one client at a time, therefore they need to identify each client correctly.

4. The Web application should handles multiple transactions within a single session. To complete a transaction, it may interact with a client by transferring several

web pages and gathers several user specific information like credit card number and delivery address from the client.

Solution: There have been various methods to identify clients from their requests. Using session ID is the most common method used to track user sessions. Thesession IDs are typically generated and associated with each new requests which the server receives. In fact upon receiving each request, the server checks whether it contains a valid session ID. If the received request does not contain a valid ID, it assumed to be a new session and then a new session ID will be created. This session ID along with the initial page in the form of the HTTP response will be send back to the Web client. Otherwise if the request does contain a valid session ID, the server application will use this session ID to retrieve the particular user date which is associated with the session ID. All user data is stored on the server either in a temporary file or database.

Formal Specification: Sets, constants and variables definitions of this pattern are pre- sented in Figure 4.1. The req buf models the output links from clients to the Web server. Each client puts its request in this buffer and the Web server retrieves it form this buffer. The current variable represent the current active browser windows on all clients computers. When a client open a new browser window, a new identifer for this window will be add to this set.

The session variable is representing the set of valid sessions. When the Web server receives a request without a valid session ID, it assumes that a new client has joined the system and the server will allocate a new session ID for it and adds it to the session. The resp buf play the similar role to the req buf, but it stores responses from the Web server to clients.

A simple formal representation of the scenario, which described in the first part of solution, is illustrated in 4.2. In this specification we assumed that multiple users could interact with the Web application. In addition to that each user is allowed to open more than a single browser window and have multiple connections with the Web application server. The act of opening a new browser window and typing a specific URL (Uniform Resource Locator) by the user has been modelled in theClient CreateAgent operation. Here aid is a unique handle to identify each opened browser window on the client computer. The Server CreateSession represents the server side actions after receiving a new request from a client. Through the operation guard ReqSID(req)= null, the new request would be checked to examine that it does not contain a valid session ID. The next part of the guardsid∈SESSION∧sid /∈sessionrepresents the server allocating a valid new session ID. The newsession ID will be associated with the request in the body of the operation. This task has been accomplished by building a response for the client by using the request handler ID and a newsession ID.

The HTTP link between clients and the server here has been modelled with a set. We discussed this in the previous section and there is no need to repeat it here. In

SETS

SESSION; REQUEST; RESPONSE; AGENT_ID; SERVICES; SRVC_RESP

CONSTANTS

null, ReqID, ReqSID, Srvc, /* REQUEST ==

ReqID AGENT_ID ReqSID SESSION

Srvc SERVICES */ RespID, RespSID, Srvc_resp /* RESPONSE == RespID AGENT_ID RespSID SESSION Srvc_resp SRVC_RESP */ PROPERTIES null SESSION

/* REQUEST Record Definition */ ReqID REQUEST AGENT_ID

ReqSID REQUEST SESSION

Srvc REQUEST SERVICES

/* RESPONSE Record Definition */ RespID RESPONSE AGENT_ID

RespSID RESPONSE SESSION

Srvc_resp RESPONSESRVC_RESP

VARIABLES

req_buf, current, session, resp_buf, req_hist, resp_hist INVARIANT req_buf (REQUEST) current (AGENT_ID) session (SESSION) resp_buf (RESPONSE) req_hist (REQUEST) resp_hist (REQUEST) INITIALISATION req_buf := || current:= || session := || resp_buf := || req_hist:= || resp_hist :=

Figure 4.1: Sets and Variables Definitions of the Session Creation Pattern

addition to the buffers there are two operations for modelling the communication process which are namely Convey SessionReq and Convey SessionID. These operations have been introduced in the refinement. The invariants for refinement are presented in the Figure 4.3 and a part of the refinement which contains these operations is illustrated in the Figure 4.4. Maintaining simplicity is the main reason for postponing the introduction of the communication link to the refinement stage. The req buf of the specification is divided into two buffers in the refinement. The same process is applied to the response buffer resp buf. The splitting process is a pre-requisite for the decomposition process in the later refinement stages.

Resulting Context: Although the session creation pattern is an essential part of almost all of Web applications but it usually applied in conjunction with other patterns. In the next section we present another pattern which could be composed with this pattern.