This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The objective of the new web pages is mainly for our customers to report the meter reading conveniently through the Internet from their home.
We are going to use the service from AddThis for populating our website by the FAQ and blog.
For the further development, we study the virtual host and cloud hosting for our web site.
Regarding the information security, we need to use SSL/TLS to secure the data in our web site. SSL/TLS will be discussed in the last portion of the report.
(129 words for Introduction)
We use the Active Server Pages .NET (ASP.NET) to establish the function for input the meter reading.
ASP.NET is developed by Microsoft and it is the purely server-side technology which handles the program code in server and then to send back the result to the client's computer and show in the web browser.
ASP.NET allows building the dynamic web sites which the web applications use the compiled languages as VB, C#, J# and etc.
The advantages from ASP.NET:
To reduce the amount of code to build the large application.
The web application is secured with the built-in Windows authentication.
To provide the better performance by the early binding, just-in-time compilation and caching services.
To allow the programmers to select the language that is applied to the application for the best performance. It is language-independent.
The web server can monitors the pages and applications running on it. If there are any memory leaks, infinite loops and illegal activities, it destroys the activities soon and restarts itself.
1.2 Flow Chart of the Operation
In the figure 1.2, it shows the operation flow which start from the user authentication page.
If the authentication process is fail, an error message will be shown on the
user's screen and request the user re-input again.
If the authentication process is successful, the meter reading input page
will be displayed.
After the user input the meter reading to the web page, the validation process
will be executed in the client computer.
If the input data is invalid, an error message will show on the user's screen and
request the user re-input again.
If the input data is valid, the data will be transferred to the server. A record will be
inserted in the CSV file which is located in the server.
An message for the successful action will be shown on the user's screen.
User Authentication page
Before the customer reports the meter reading, the user authentication process should be completed for the identification of the customer.
The program code is attached in the Appendix I.
In the figure 1.3a, it shows the user authentication page. The user need input the user ID and password then click the "Submit" button.
User input "User ID" and "Password"
In the figure 1.3b, it shows the error message on the user authentication page if the user has input and submitted the wrong user ID or password.
Message of authentication fail
In the figure 1.3c, it shows the three previous reading on the input page and allow the user input the new reading when the user authentication is successful.
User input the "New Reading"
CSV file output
In the figure 1.4a, it shows the success message if the new reading pass the validation process.
Message of data accepted
Please refer to figure 1.4b, the program insert a record into the CSV file named "NewReading.csv" that is located in the folder "C:\Inetpub\wwwroot".
Please refer the figure 1.4c , we confirm that each record in the "NewReading.csv" file can be separated into individual cell of a spreadsheet.
Code description for login.aspx
There are four main parts in the login.aspx:
In the Figure 1.5.1, it shows the code to declare the visual basic(VB) as the program language and start the debug mode in the "login.aspx" page.
We also need to work with the Microsoft Access database. Therefore we need import the "System.Data.Oledb" namespace to the web page.
Event procedure of "Reset" button
In the Figure 1.5.2, it shows the code for the event procedure of "Reset" button in the "login.aspx" page.
When the user click the "Reset" Button, all the text fields on the input.aspx page will be clear.
Event procedure for "Submit" button
In the Figure 1.5.3, it shows the code for the event procedure for "Submit" button in the "login.aspx" page.
The code is executed after the "Submit" button is pressed.
In the program code, we need to define what type the database will be used.
Provider=Microsoft.Jet.OLEDB.4.0 is for the Microsoft Access database.
Server.MapPath("db1.mdb") inform the server that the db1.mdb database file need be used and the location is at the root directory of the server.
(In this case, the root directory is C:\Inetpub\wwwroot )
Then the code defines the variables and set the SQL for searching the data from the "name" field of the "user" table in the "db1.mdb".
When the user click the "Submit" button, the data of "txtUser ID" and "Password" are transferred from the client computer to the web server.
The program code of the "login.aspx" page will search the "user" table with the "txtUser ID" and "Password" from client computer.
If no any record in "user" table is found, an error message "Invalid user id or password!" will show in the text field "labError" in the "login.aspx".
Otherwise, the content of the "txtUserID" and the selected result "name" will be stored in the session variables and then send the input.aspx page to the client computer and show in the client browser.
Body of "login.asps"
In the figure 1.5.4, it shows the code between the body tags of "login.aspx".
Mainly it builds the input fields and buttons for the user to communicate with the server.
Firstly, the code builds a form named "frmLogin".
Inside the form, we create two text fields as "txtUserID" and "Password". We also create the "Reset" button and "Submit" button for the related server actions.
Code description for Input.aspx
The detail will be reported in Task 2.
Tables in database
We use the database "db1.mdb" to keep the data for the users' information and the pervious meter reading.
In the figure 1.7.1a, it shows the table structure for "user".
The field "uid" is the primary key.
In the figure 1.7.1b, it shows the table content for "user".
1.7.2 "reading" table
In the figure 1.7.2a, it shows the table structure for "reading".
The field "uid" and "date" are the compound primary keys.
In the figure 1.7.2b, it shows the table content for "reading".
The data format is YYYYMMDD.
The time format is HH:MM
In this table, we limit only one meter reading on the same day for the individual user ID.
(1049 words for Task 1)
Validation for reading input
In the figure 2.2a, it shows the meter reading input page and the user can input the new reading in the blank field.
User input and submits the reading smaller than the previous reading
In the figure 2.2b, it shows the error message if the new reading is smaller then the last reading.
In the figure 2.2c, it shows the error message if the user clicks the "Submit" button without any input to new reading field.
User does not input any value
In the figure 2.2d, it shows the error message if the user inputs the non-numeric value in the field.
User input the value with the character
Code description for input.aspx
There are six main parts in the input.aspx.
In the Figure 2.3.1, it shows the code to declare the visual basic(VB) as the program language and start the debug mode in the "input.aspx" page.
"System.Data" namespace is imported to the web page for the ADO.NET architecture that allows the developer to build the components to manage the data efficiently.
"System.Data.Oledb" namespace is imported to the web page for working with the Microsoft Access database
We also need to read and write to the file(NewReading.csv). Therefore we need import the "System.IO" namespace to the web page.
Event procedure of Page Load
In the Figure 2.3.2, it shows the code for the event procedure of Page Load in the "input.aspx" page.
Do you remember the session variables in the "login.aspx"?
When the "input.aspx" is loaded from the server, the content of the session variable "Name" that is saved in the "login.aspx" is retrieved to the text field "labName" in the "input.aspx".
As the code in "login.aspx", we need to define what type of the database will be used.
Provider=Microsoft.Jet.OLEDB.4.0 is for the Microsoft Access database.
Server.MapPath("db1.mdb") inform the server that the db1.mdb database file need be used and the location is at the root directory of the server.
(In this case, the root directory is C:\Inetpub\wwwroot )
Then the code defines the variable "tmpSQL" and set the searching condition to tmpSQL for searching the data set in the table "reading" of the "db1.mdb".
The result of the data set includes the top three records which is sorted by the "uid" which the value come from the session variable "ID" and are ordered by the date and time in the descending order.
"Dim tmpConnection As OleDbConnection" for update Access data table.
"Dim tmpCommand As OleDbDataAdapter" for providing the communication between the Dataset and the OleDb Data Sources
"Dim tmpDataset As DataSet" for reserving the memory to keep the data.
Under the 'Start connection, the code is for the connection to Access database.
Under the 'Get value', the comment Fill() is used to bind the query result to the variable "tmpDataset".
Under the 'Display grid', the code put the query result to the ASP.NET object "grdReading" for display a table.
Then we prepare the fields to keep the data for the date, time and reading for the previous record. They will be used for the validation of the new input reading from the user.
(The code is shown on the next page.)
In the figure 2.3.3, it shows the event procedure when the user clicks the "Reset" button.
In figure 2.3.4, it shows the event procedure when the user clicks the "Submit" button.
Firstly, the path of the NewReading.csv file is defined. The ASP.NET object SteamWriter also be defined.
The user ID, input date, input time and the valid reading is made to the comma-separated values (csv) format.
The message also show on the page for the successful process.
Firstly, the code get the date and time from the server and format to yyyymmddHH:MM. This string will be use to compare the date and time of the previous reading.
The validation conditions include:
whether the user has input the new reading
whether the value of new reading is numeric type
whether the value of the new reading is greater than or equal to the
whether the input date and time is later than the previous reading
The related error message box will be shown if anyone of the above conditions is fail.
If the validation is OK, the event procedure of the submit button will be executed.
Note : the validation function is declared in the "Page_Load". Therefore it will be executed earlier than the original code of the "Submit" button.
In the figure 2.3.6, it shoes the code between the body tags of "input.aspx".
Firstly, the code builds a form named "frmInput". Inside the form, we create a table to show the three previous records of the user, the text field "txtNewReading", the hidden fields for keeping the values of the previous record.
We also create the "Reset" button and "Submit" button for the related server actions.
(1005 words for Task 2)
Populate the company web site
We would like to increase the traffic to the FAQ and blog in the company web site.
FAQ : Frequently Asked Questions
It is a web page to list out the questions that are issued by our website users and clients. The official answers and solutions are provided by our company for each question.
It is one of the information communication styles in the network.
Clients can issue any subject and post their opinion to any related subjects.
At this moment, we consider to use AddThis service to fulfill the requirement.
Introduction of AddThis
AddThis is a free service which is provided by the ClearSpring compny.
AddThis can help the website publishers and bloggers to spread the content across the web by making it easy for web users to bookmark and share content to the popular places where are supported to AddThis. They are called as AddThis platform such as Facebook, Google, Twitter, Gmail an so on.
Through the function of AddThis, our existing web visitors can share their subjects in the blog and the FAQ content to more people. Any people who reply to the content will be re-directed to our company web site.
The traffic to the FAQ and blog will be increased.
Services from AddThis
AddThis can offer a number of different Application Program Interfaces (APIs), each with a specific purpose.
The client-side APIs control how the share tools behave on the web page
The server-side APIs can be used for different types of integration between the web site and the AddThis backend platform.
3.3.1 Client API
As the figure 3.3.1a, they are the buttons that help the visitor to link to the AddThis platforms.
As the figure 3.3.1b, we embedded the client API to the FAQ page for our clients to create the bookmark to the AddThis platforms.
When the visitor clicks on one of the AddThis buttons(e.g. Facebook) on the web page of our blog or FAQ page, the visitor will be directed to the Facebook website.
After the user authentication has been completed, the bookmark for the blog or FAQ page is added to the user page of Facebook under the visitor's account.
3.3.2 Sharing Endpoints
Except the client API. AddThis also provides the sharing endpoints that are a set of simple URL endpoints. We can use to initiate sharing to any web site supported by AddThis platform(e.g. Facebook, Google, Gmail and so on).
The share menu provide the list of the share platform that the users can select.
The share forward to the pre-fixed destination
AddThis provides two ways to monitor the result about the traffic increasing in our company web site. We need to apply the user account to AddThis for the data.
3.4.1 Analytics Reports from AddThis
AddThis provides a several different analytics reports to help us understanding our clients share the content.
126.96.36.199 Analytics Summary
In the figure 188.8.131.52, the report shows that how many times the users have shared the content for a selected period.
In the figure 184.108.40.206a, the report shows which pages are shared most frequently.
In the figure 220.127.116.11b, the report allows you to take a look at the particular URL of the web page closely. And how many traffic bring back to our company web site for the web page.
Analytics Services / Endpoints
In the figure 18.104.22.168a, the report shows which sharing endpoints are most popular.
In the figure 22.214.171.124b, the report takes a closer look at a particular endpoint.
And how many traffic bring back to our company web site from the endpoint.
In the figure 126.96.36.199, the report helps us to know the people where they live visit the company web site.
3.4.2 Analytics API from AddThis
It can provides the data about:
How many times the people share the content in the previous day / week /month?
Which content is being shared the most?
What services/share endpoints are used to share the content?
The webmaster can get the data in CSV format for the past seven days by the link as below:
After we input the URL, the below window will show on the screen.
In the figure 3.4.2a, it shows the authentication screen from AddThis. The web master need input the user ID and password.
In the figure 3.4.2b, the data in CSV format shown the number of visit for the past seven days.
We can use the data to create our traffic reports.
3.5 AddThis Pros and Cons
The service of AddThis is free of charge.
By the bookmark to the popular websites, AddThis makes more people know and discuss about our company and our company web site. Moreover we don't need to pay the additional cost in the advertisement.
But we need consider the information security because we use the third party to assist the job.
When our clients click to the AddThis buttons, they will be redirected to AddThis that may collect the information from our clients' computers.
We need consider protecting the information from our clients. Otherwise the reputation of the company will be affected.
(1004 words for task 3)
Virtual hosting is a way for the multiple domain names hosting on a single server/computer using a single IP address.
The server/computer can share its resources as RAM or CPU for the more efficient usage.
The application of shared web hosting is widely used. The service charge of the virtual hosting is cheaper than the stand-alone dedicated web server. Because the cost is shared by the customers hosted the web sites on the same server.
There are three types of virtual hosting as below shown:
The web server is configured with more than one physical network interfaces.
The multiple IP addresses or the virtual network interface is set to each physical network interface.
Each site of the IP-based virtual hosting is pointed to a unique IP address.
This type of virtual hosting has got the higher cost and IP address exhaustion because each web site needs a unique IP address.
In the same web server with a single IP address, the multiple host names can be used by the named-based virtual hosts. The different host headers need be configured in the web server for the different host names.
Each host name represents a company web site or an application.
With the virtual hosting, our company web site has the below hosts/applications in a single server.
The clients' browsers that need support to the HTTP/1.1 can see the web pages under virtual hosting.
But the below disadvantages should be considered:
If the DNS can not work, the browser is difficult to access the virtually-hosted website.
It is not available to host the multiple secure websites that run the Secure Sockets Layer (SSL).
Because the SSL handshake action takes place before the server receives the expected hostname request from client, the server can not know which certificate to present when the connection is made.
The default TCP port number for the HTTP protocol is 80.
Actually we can assign the different port numbers to represent the different web sites or application.
www.energyco.com (default port 80 for the online reading register)
www.energyco.com:1080 (port 1080 for the FAQ)
www.energyco.com:2080 (port 2080 for the blog)
It is no good to the population.
Because the users are not familiar to use the non-default port numbers and the complicated port numbers that is different to remember.
Some firewalls may be configured to block all ports except the default ports of the application. It will cause the non-standard port website unavailable to the users.
Cloud hosting / Cloud computing
In the figure 4.2, it shows the concept of the cloud hosting.
Cloud hosting / Cloud computing is the operation with the multiple connected servers.
A cloud service is different from the traditional hosting service based on:
- The power of processing can be increased easily because the new server usually can be added to scale up the computer infrastructure.
- Typically the style of the sales is based on the demand by minute or hour.
- It can provide the elastic service to the user as they need at any time.
- The service is fully managed and maintained by the provider.
- Significant improvement for the access to high-speed Internet.
A cloud can be private or public.
The provider of the public cloud sells the services to the people on the Internet.
At this moment, the public clouds include IBM's Blue Cloud, Amazon Elastic Compute Cloud (EC2), Google AppEngine, Sun Cloud and Windows Azure Services Platform. Amazon Web Services (AWS) is the largest provider of the public cloud.
The provider of the private cloud owns the data center or the network that supplies the hosting services to a smaller number of people.
If the people use the resource of the public cloud to create their private cloud that is called a virtual private cloud.
In general speech, the cloud hosting/computing involves delivering hosted services over the Internet.
Regarding the hosted services, basically they can be divided into three models:
- Infrastructure-as-a-Service (IaaS)
- Platform-as-a-Service (PaaS)
- Software-as-a-Service (SaaS)
4.2.1 Infrastructure-as-a-Service (IaaS)
As the service provided by Amazon Web Services, the customers can use the virtual server instances with the unique IP addresses to control, access and configure their virtual servers and storage.
It provides the flexible payment based on the demand from the users.
The cloud model can be applied to the web service.
4.2.2 Platform-as-a-Service (PaaS)
It is defined as a set of software development tools that is hosted on the provider's infrastructure.
The developers can create the applications on the provider's platform over the Internet.
The supplier provides the software product, the hardware infrastructure and the user interaction through a front-end portal. It involves a big market of the services from web-based mail to inventory control and database processing. The user can use the service from anywhere because both of data and application are hosted by the service provider.
Virtual Host VS Cloud hosting
The service provider of the cloud hosting can always add the server to the cloud network and do not affect the hosting service.
No need to worry about the limit of the capacity for the high-speed expanded web site. Because the storage space of the multiple servers can be used.
Usually the servers in the cloud network are located in the different locations. If the electrical surge or power suspension happen in one of the location and cause the all servers off, the cloud hosting service is still available.
The resources (CPU and RAM) of the multiple servers in cloud network can be used to provide the high speed processing ability
The data is shared to the multiple servers in the cloud network. The servers in the different locations are managed by the different people. That means, more people have the chance to touch the data of our company website.
Comparison of cloud hosting providers
In the figure 4.4, it shows the comparison among the providers for the cloud hosting service.
GoGrid is recommended as our service provider for cloud hosting service according to the result from section 4.4.
(1054 words for task 4)
Both of SSL and TLS are the cryptographic protocols that provide the security for communication over the network such as Internet.
5.1.1 SSL (Secure Sockets Layer)
SSL is invented by Netscape originally.
SSLv2 was in 1994
SSLv3 was in 1996
5.1.1b Position in OSI layer:
In the below figure 5.1.1b, it shows that the SSL runs above TCP/IP and below higher-level protocols such as HTTP or LDAP.
5.1.1c SSL security
Secrecy or privacy:
To protect the data by the data encryption even the data packets are captured.
The encryption method include as below:
Asymmetric key exchange : RSA, Diffie-Hellman, etc
Symmetric encryption : DES, 3DES, RC4, etc.
With the Message Authentication Code(MAC) by MD5 or SHA-1 to verify the data whether has been falsified.
To confirm the identification of the remote host by server authentication, client authentication and X.509 public-key certificate.
5.1.1d SSL protocol
SSL uses TCP/IP on behalf of the higher-level protocols (Handshake protocol and Record protocol), and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection.
In the figure 5.1.1di, it shows that SSL Handshake Protocol for the authentication and communicate with encryption keys.
In the figure 5.1.1dii, it shows that SSL Record Protocol encrypts the data from Application Layer.
5.1.1e Weak point in SSL
SSL only ensure the safety of the data in Internet. The data arrive the remote host has no any encryption. If we send credit card ID by SSL, the people in server side can see the card ID.
SSL encryption ciphers are classified based on the length of encryption key as follows:
HIGH : key length > 128 bits
MEDIUM : key length = 128 bits
LOW : key length < 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt.
TLS (Transport Layer Security)
TLS is a protocol from the Internet Engineering Task Force (IETF) based on SSL3.0 in year 1998.
5.1.2b Position in OSI layer:
In the below figure 5.1.2b, it shows that the protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol.
5.1.2c TLS security
Authentication - by the public / private key
Confidentiality - To encode and decode the data with the session key.
Integrity - To check the data with the Message Authentication Code(MAC) to confirm whether the data has been falsified
5.1.2d TLS protocol
TLS Handshake protocol
To handle the authentication and key exchange before the data transmission between the server and client.
Three main parts in the handshake process:
encryption by the cipher suite such as TLS_RSA_WITH_RC4_128_MD5
Authentication by public / private key
To generate the Master Secret key firstly, and then generate two below session keys:
Write MAC Secret (session key for hashing)
Write Key (session key for encryption)
The below figure show the steps of TLS handshaking.
TLS Record protocol
The job is similar to the SSL.
It adds the Message Authentication Code to encrypt the data for confirming the integrity of the data.
Basically, there is no big difference between TLS and SSL. But TLS can transform itself into SSL3 when necessary.
TLS is flexible and support to more key size and provide the different level of security.
SSL is the more common in the usage and almost all of browsers can support to it.
Domain Validated certificates(DV)
DV are the simple SSL certificates to provide the authentication function between the server and client.
Before it is issued by CA, it is not necessary to verify the company information.
We just want to prove that we own the domain by mail or phone call with the information in WHOIS record of the domain.
Extended Validated certificates(EV)
EV are the SSL certificates as well. Before it is issued, the rigorous and extensive verification to the identity of the entity/company is required as below:
Verified the existence of the entity in physical, legal and operational aspects.
Verified the identity of the entity with the official records.
Verified whether the entity has got the exclusive right to use the domain specified in the EV Certificate.
Verified whether the entity has got the proper authorization for the issuance of the EV Certificate.
DV vs. EV
Domain Validated certificates (DV)
Extended Validated certificates (EV)
Application Lead time
No need rigorous validation.
Usually we can get a full function certificate with a few minutes.
The extensive validation is requested.
It may spend a few days or a few weeks.
The process is automated. The applicant can apply the DV by the e-mail or phone call.
It is the cheapest SSL certificate.
Labor cost involved for verifying the company information of the applicant by the third party.
The cost of the certificates is higher than DV.
It is low.
Due to no rigorous validation required, the visitors can not confirm the real identity of the company that they are visiting.
It is higher than DV.
The visitors can have more confidence to the right site that they access.
Any hacker/phisher can get a DV and hide their identity. Moreover the attack from the middle man is more dangerous because the hacker can get the a DV for our domain by the DNS poisoning. Our visitors will be redirect to a fake site and allow the hackers to collect the visitors' information.
All certification authorities are required to have the annual audit.
Improperly used to EV certificates will be revoked quickly according to the guidelines of the CA.
As an energy company that provides the service to the population, we will contact many clients via the Internet. Therefore the Internet security must be our first consideration. Otherwise the information of our company and our clients will become the hackers' meat.
We choose SSL with the Extended Validated certificate for the data encryption.
In Hong Kong, we can apply the EV certificate for server from Hong Kong Post Office.
The annual fee and validation period:
HKD 2,500 for one year
HKD 5,000 for two year
According to the information from HK Post Office, the EV certificate for server is fully supported to the browsers such as Microsoft Internet Explorer, Apple Safari and Mozilla Firefox.
(1085 words for task 5)