ch11_01.htm

用perl编写CGI的好书。本书从解释CGI和底层HTTP协议如何工作开始

<?label 11. Maintaining State?><html><head><title>Maintaining State (CGI Programming with Perl)</title><link href="../style/style1.css" type="text/css" rel="stylesheet" />

<meta name="DC.Creator" content="Scott Guelich, Gunther Birznieks and Shishir Gundavaram" /><meta scheme="MIME" content="text/xml" name="DC.Format" /><meta content="en-US" name="DC.Language" /><meta content="O'Reilly & Associates, Inc." name="DC.Publisher" /><meta scheme="ISBN" name="DC.Source" content="1565924193L" /><meta name="DC.Subject.Keyword" content="stuff" /><meta name="DC.Title" content="CGI Programming with Perl" /><meta content="Text.Monograph" name="DC.Type" />

</head><body bgcolor="#ffffff">

<img src="gifs/smbanner.gif" alt="Book Home" usemap="#banner-map" border="0" /><map name="banner-map"><area alt="CGI Programming with Perl" href="index.htm" coords="0,0,466,65" shape="rect" /><area alt="Search this book" href="jobjects/fsearch.htm" coords="467,0,514,18" shape="rect" /></map>

<div class="navbar"><table border="0" width="515"><tr><td width="172" valign="top" align="left"><a href="ch10_04.htm"><img src="../gifs/txtpreva.gif" alt="Previous" border="0" /></a></td><td width="171" valign="top" align="center"><a href="index.htm">CGI Programming with Perl</a></td><td width="172" valign="top" align="right"><a href="ch11_02.htm"><img src="../gifs/txtnexta.gif" alt="Next" border="0" /></a></td></tr></table></div>
<hr align="left" width="515" />



<h1 class="chapter">Chapter 11. Maintaining State</h1>
<div class="htmltoc"><h4 class="tochead">Contents:</h4><p>
<a href="ch11_01.htm">Query Strings and Extra Path Information</a><br>
<a href="ch11_02.htm">Hidden Fields</a><br>
<a href="ch11_03.htm">Client-Side Cookies</a><br></p></div>



<p>HTTP is a stateless protocol. As we discussed in <a href="ch02_01.htm">Chapter 2, "The Hypertext Transport Protocol "</a>, the <a name="INDEX-2179" />HTTP protocol defines how web clients and
servers communicate with each other to provide documents and
resources to the user. Unfortunately, as we noted in our discussion
of HTTP (see <a href="ch02_05.htm#ch02-99950">Section 2.5.1, "Identifying Clients"</a>), HTTP does not provide a
direct way of identifying clients in order to keep track of them
across multiple page requests. There are ways to track users through
indirect methods, however, and we'll explore these methods in
this chapter. Web developers refer to the practice of tracking users
as <em class="firstterm">maintaining state</em>
<a name="INDEX-2180" />
<a name="INDEX-2181" /> <a name="INDEX-2,182" />
<a name="INDEX-2183" />.
The series of interactions that a particular user has with our site
is a <em class="firstterm">session</em>
<a name="INDEX-2184" /> <a name="INDEX-2,185" />. The information that we collect for a
user is <em class="firstterm">session information</em>.</p>


<p>Why would we want to maintain state? If you value privacy, the idea
of tracking users may raise concerns. It is true that tracking users
can be used for questionable purposes. However, there are legitimate
instances when you must track users. Take an online store: in order
to allow a customer to browse products, add some to a shopping cart,
and then check out by purchasing the selected items, the server must
maintain a separate shopping cart for each user. In this case,
collecting selected items in a user's session information is
not only acceptable, but expected.</p>


<p>Before we discuss methods for maintaining state, let's briefly
review what we learned earlier about the <a name="INDEX-2186" />HTTP transaction model. This will
provide a context to understand the options we present later. Each
and every HTTP transaction follows the same general format: a
<a name="INDEX-2187" />
<a name="INDEX-2188" />
<a name="INDEX-2189" />request
from a client followed by a response from the server. Each of these
is divided into a request/response line, header lines, and possibly
some message content. For example, if you open your favorite browser
and type in the URL:</p>


<blockquote class="simplelist">

<p><em class="emphasis">http://www.oreilly.com/catalog/cgi2/index.html</em></p>

</blockquote>


<p>Your browser then connects to <em class="emphasis">www.oreilly.com</em> on
port 80 (the default port for HTTP) and issues a request for
<em class="emphasis">/catalog/cgi2/index.html</em>. On the server side,
because the web server is bound to port 80, it answers any requests
that are issued through that port. Here is how the request would look
from a browser supporting HTTP 1.0:</p>


<blockquote><pre class="code">GET /index.html HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
User-Agent: Mozilla/4.5 (Macintosh; I; PPC)</pre></blockquote>


<p>The browser uses the <a name="INDEX-2190" />GET request method to ask for the
document, specifies the HTTP protocol to use, and supplies a number
of headers to pass information about itself and the format of the
content it will accept. Because the request is sent via GET and not
POST, the browser is not passing any content to the server.</p>


<p>Here is how the
<a name="INDEX-2191" />server would respond to the request:</p>


<blockquote><pre class="code">HTTP/1.0 200 OK
Date: Sat, 18 Mar 2000 20:35:35 GMT
Server: Apache/1.3.9 (Unix)
Last-Modified: Wed, 20 May 1998 14:59:42 GMT
Content-Length: 141
Content-Type: text/html

(content)
...</pre></blockquote>


<p>In Version 1.0 of HTTP, the server returns the requested document and
then closes the
<a name="INDEX-2192" />connection.
Yes, that's right: the server doesn't keep the connection
open between itself and the browser. So, if you were to click on a
link on the returned page, the browser then issues another request to
the server, and so on. As a result, the server has no way of knowing
that it's you that is requesting the successive document. This
is what we mean by
<em class="emphasis">stateless</em>
<a name="INDEX-2193" />
<a name="INDEX-2194" />, or nonpersistent; the server
doesn't maintain or store any request-related information from
one transaction to the next. You do know the network address of the
client who is connecting to you, but as you'll recall from our
earlier discussion of
<a name="INDEX-2195" />proxies (see <a href="ch02_05.htm#ch02-54689">Section 2.5, "Proxies"</a>), multiple users may be making connections via
the same proxy.</p>


<p>You may be waiting to hear what's changed in Version 1.1 of
HTTP. In fact, a
<a name="INDEX-2196" />connection may remain open across
multiple requests, although the request and response cycle is the
same as above. However, you cannot rely on the network connection
remaining open since the connection can be closed or lost for any
number of reasons, and in any event CGI has not been modified to
allow you access any information that would associate requests made
across the same connection. So in HTTP 1.1 as in HTTP 1.0, the job of
maintaining state falls to us.</p>


<p>Consider our <a name="INDEX-2197" />shopping cart example: it should allow
consumers to navigate through many pages and selectively place items
in their carts. A consumer typically places an item in a cart by
selecting a product, entering the desired quantity, and submitting
the form. This action sends the data to the web server, which, in
turn, invokes the requested CGI application. To the server,
it's simply another request. So, it's up to the
application to not only keep track of the data between multiple
invocations, but also to identify the data as belonging to a
particular consumer.</p>


<p>In order to maintain state, we must get the client to pass us some
<a name="INDEX-2198" />
<a name="INDEX-2199" />unique identifier
with each request. As you can see from the HTTP request example
earlier, there are only three different ways the client can pass
information to us: via the request line, via a header line, or via
the content (in the case of a POST request). Thus, in order to
maintain state, we can have the client pass a unique identifier to us
via any of these methods. In fact, the techniques we'll explore
will cover all three of these ways:</p>


<dl>
<dt><b>
<a name="INDEX-2200" />
<a name="INDEX-2201" />
<a name="INDEX-2202" />Query strings and extra path information</b></dt>
<dd><p>It's possible to embed an identifier in the query string or as
extra path information within a document's URL. As users
traverse through a site, a CGI application generates documents on the
fly, passing the identifier from document to document. This allows us
to keep track of all the documents requested by each user, and in the
order in which they were requested. The browser sends this
information to us via the request line.</p></dd>


<dt><b>
<a name="INDEX-2203" />Hidden fields</b></dt>
<dd><p>Hidden form fields allow us to embed "invisible"
name-value information within forms that the user cannot see without
viewing the source of the HTML page. Like typical form fields and
values, this information is sent to the CGI application when the user
presses the submit button. We generally use this technique to
maintain the user's selections and preferences when multiple
forms are involved. We'll also look at how CGI.pm can do much
of this work for us. The browser sends this information to us via the
request line or via the message content depending on whether the
request was GET or POST, respectively.</p></dd>


<dt><b>
<a name="INDEX-2204" />
<a name="INDEX-2205" />
<a name="INDEX-2206" />Client-side cookies</b></dt>
<dd><p>All modern browsers support client-side cookies, which allow us to
store information on the client machine and have it pass it back to
us with each request. We can use this to store semi-permanent data on
the client-side, which will be available to us whenever the user
requests future resources from the server. Cookies are sent back to
us by the client in the <em class="emphasis">Cookie</em> HTTP header line.</p></dd>

</dl>


<p>The advantages and disadvantages of each technique are summarized in
<a href="ch11_01.htm#ch11-81511">Table 11-1</a>. We will review each technique
separately, so if some of the points in the table are unclear you may
want to refer back to this table after reading the sections below. In
general, though, you should note that client-side cookies are the
most powerful option for maintaining state, but they require
something from the client. The other options work regardless of the
client, but both have limits in the number of the pages that we can
track the user across.</p>



<a name="ch11-81511" /><h4 class="objtitle">Table 11-1. Summary of the Techniques for Maintaining 
State </h4><table border="1">





<tr>
<th>
<p>Technique</p></th>
<th>
<p>Scope</p></th>
<th>
<p>Reliability and Performance</p></th>
<th>
<p>Client Requirements</p></th>
</tr>




<tr>
<td>
<p>Query strings and extra path information</p></td>
<td>
<p>Can be configured to apply to a particular group of pages or an
entire web site, but state information is lost if the user leaves the
web site and later returns</p></td>
<td>
<p>Difficult to reliably parse all links in a document;</p>
<p>significant performance cost to pass static content through CGI
scripts</p></td>
<td>
<p>Does not require any special behavior from the client</p></td>
</tr>

<tr>
<td>
<p>Hidden fields</p></td>
<td>
<p>Only works across a series of form submissions</p></td>
<td>
<p>Easy to implement; does not affect performance</p></td>
<td>
<p>Does not require any special behavior from the client</p></td>
</tr>

<tr>
<td>
<p>Cookies</p></td>
<td>
<p>Works everywhere, even if the user visits another site and later
returns</p></td>
<td>
<p>Easy to implement; does not affect performance</p></td>
<td>
<p>Requires that the client supports (and accepts) cookies</p></td>
</tr>


</table>










<div class="sect1"><a name="ch11-36070" />
<h2 class="sect1">11.1. Query Strings and Extra Path Information</h2>


<p>We've passed <a name="INDEX-2209" /> <a name="INDEX-2,210" /> <a name="INDEX-2,211" />query
information to <a name="INDEX-2212" /> <a name="INDEX-2,213" />CGI applications many times
throughout this book. In this section, we'll use queries in a
slightly less obvious manner, namely to track a user's browsing
trail while traversing from one document to the next on the server.</p>


<p>In order to do this, we'll have a <a name="INDEX-2214" /> <a name="INDEX-2,215" />CGI script handle every request for
a static HTML page. The CGI script will check whether the request URL
contains an identifier matching our format. If it doesn't, the
script assumes that this is a new user and generates a new
identifier. The script then parses the requested HTML document by
looking for links to other URLs within our web site and appending a
unique identifier to each URL. Thus, the identifier will be passed on
with future requests and propagated from document to document. Of
course, if we want to track users across CGI applications then
we'll also need to parse the output of these CGI scripts. The
simplest way to
<a name="INDEX-2216" />accomplish both
goals is to create a general module that handles reading the
identifier and parsing the output. This way, we need to write our
code only once and can have the script for our HTML pages as well as
allow all our other CGI scripts share it.</p>


<p>As you may have guessed, this is not a very efficient process, since
a request for each and every HTML document triggers a CGI application
to be executed. Tools such as <em class="emphasis">mod_perl</em> and
FastCGI, discussed in <a href="ch17_01.htm">Chapter 17, "Efficiency and Optimization"</a>, help because both
of these tools effectively embed the Perl interpreter into the web
server.</p>


<p>Another strategy to help improve performance is to perform some
processing in advance. If you are willing to preprocess your
documents, you can reduce the amount of work that happens when the
customer accesses the document. The majority of the work involved in
parsing a document and replacing
<a name="INDEX-2217" />links
is identifying the links. <a name="INDEX-2218" />
<a name="INDEX-2219" />
<a name="INDEX-2220" /> <a name="INDEX-2,221" />HTML::Parser
is a good module, but the work it does is rather complex. If you
parse the links and add a special keyword instead of one for a
particular user, then later you can look for this keyword and not
have to worry about recognizing links. For example, you could parse
<a name="INDEX-2222" />URLs and add
<tt class="literal">#USERID#</tt> as the identifier for each document. The
resulting code becomes much simpler. You can effectively handle
documents this way:</p>


<blockquote><pre class="code">sub parse {
    my( $filename, $id ) = @_;
    local *FH;
    open FH, $filename or die "Cannot open file: $!";
    
    while (&lt;FH&gt;) {
        s/#USERID#/$id/g;
        print;
    }
}</pre></blockquote>


<p>However, when a user traverses through a set of static HTML
documents, CGI applications are typically not involved. If
that's the case, how do we pass session information from one
HTML document to the next, and be able to keep track of it on the
server?</p>


<p>The answer to our problem is to configure the
<a name="INDEX-2223" />server such that when the user
requests an HTML document, the server executes a CGI application. The