Scribd Logo
Upload

Welcome to Scribd!

  • WebArchitectur Interview

    Uploaded by

    api-3777069
    16 views6 pages
    This document provides a brief overview of SSL/TLS and cookies for managing state in HTTP. It explains that SSL was created to encrypt the transport layer and acts as a wrapper for HTTP, securing communication without changing the underlying request-response protocol. Cookies were introduced to address the stateless nature of HTTP, allowing servers to recognize users across multiple requests.

    Original Description:

    Original Title

    WebArchitectur-Interview

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a brief overview of SSL/TLS and cookies for managing state in HTTP. It explains that SSL was created to encrypt the transport layer and acts as a wrapper for HTTP, securing communication without changing the underlying request-response protocol. Cookies were introduced to address the stateless nature of HTTP, allowing servers to recognize users across multiple requests.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views6 pages

    WebArchitectur Interview

    Uploaded by

    api-3777069
    This document provides a brief overview of SSL/TLS and cookies for managing state in HTTP. It explains that SSL was created to encrypt the transport layer and acts as a wrapper for HTTP, securing communication without changing the underlying request-response protocol. Cookies were introduced to address the stateless nature of HTTP, allowing servers to recognize users across multiple requests.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬


    ‫ﺗﻬﻴﻪ ﻛﻨﻨﺪﻩ ‪ :‬ﺍﻣﻴﺮ ﺣﺴﻴﻦ ﺷﺮﻳﻔﻲ‬

    ‫‪SSL/TLS‬‬
    ‫ﺩﺭ ﺍﻳﻨﺠﺎ ﻓﺮﺽ ﺭﺍ ﺑﺮ ﺁﻥ ﮔﺬﺍﺷﺘﻴﻢ ﻛﻪ ﺧﻮﺍﻧﻨﺪﻩ ﻋﺰﻳﺰ ﺑﺎ ﭘﺮﻭﺗﻜﻞ ‪ HTTP‬ﻭ ‪ HTML‬ﺁﺷﻨﺎﻳﻲ ﺩﺍﺭﺩ ﻭ‬
    ‫ﻣﻲ ﺧﻮﺍﻫﻴﻢ ﻣﺨﺘﺼﺮ ﺑﺴﻴﺎﺭ ﻛﻮﺗﺎﻫﻲ ﺩﺭﺑﺎﺭﻩ ‪ SSL‬ﺑﻴﺎﻥ ﻛﻨﻴﻢ‪.‬‬
    ‫ﻳﻜﻲ ﺍﺯ ﺍﺳﺘﺜﻨﺎﻫﺎﻱ ﻭﺍﺿﺢ ﻭ ﺁﺷﻜﺎﺭﻱ ﻛﻪ ﺑﻴﺸﺘﺮ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﺗﺤﺖ ﻭﺏ ﺍﻣﺮﻭﺯﻩ ﺍﺳﺘﻔﺎﺩﻩ‬
    ‫ﻣﻲ ﻛﻨﻨﺪ ﭘﺮﻭﺗﻜﻞ ﻻﻳﻪ ﺳﻮﻛﺘﻬﺎﻱ ﺍﻣﻦ ) ‪ ( Secure Sockets Layer‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭ ﺑﺎﻻﻱ ‪HTTP‬‬
    ‫ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺍﺳﺖ‪ SSL .‬ﺩﺭ ﺍﺻﻞ ﺑﺮﺍﻱ ﺭﻣﺰﮔﺬﺍﺭﻱ ﻻﻳﻪ ﺍﻧﺘﻘﺎﻝ ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺍﺳﺖ ﺑﻨﺎﺑﺮﺍﻳﻦ ﻳﻚ‬
    ‫ﻣﻴﺎﻧﺠﻲ ﺑﻴﻦ ﻣﺸﺘﺮﻱ ﻭ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻧﻤﻲ ﺗﻮﺍﻧﺪ ﻣﺘﻦ ﺍﺻﻠﻲ ﺭﺩﻭ ﺑﺪﻝ ﺷﺪﻩ ﺭﺍ ﺑﻪ ﺭﺍﺣﺘﻲ ﺑﺨﻮﺍﻧﺪ‪.‬‬
    ‫ﻣﻲ ﺗﻮﺍﻥ ﮔﻔﺖ ﻛﻪ ‪ SSL‬ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﻟﻔﺎﻓﻲ ﺑﺮﺍﻱ ‪ HTTP‬ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺍﺳﺖ‪ SSL .‬ﺑﻪ ﺻﻮﺭﺕ‬
    ‫ﺫﺍﺗﻲ ﭘﺎﻳﻪ ﻭ ﺍﺳﺎﺱ ﺩﺭﺧﻮﺍﺳﺖ‪-‬ﭘﺎﺳﺦ )‪ ( Request-Response‬ﭘﺮﻭﺗﻜﻞ ‪ HTTP‬ﺭﺍ ﺗﻐﻴﻴﺮ ﻧﺪﺍﺩﻩ‬
    ‫ﺍﺳﺖ‪ SSL .‬ﺑﺮﺍﻱ ﺍﻣﻨﻴﺖ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﻫﻴﭻ ﻛﺎﺭﻱ ﺍﻧﺠﺎﻡ ﻧﺪﺍﺩﻩ ﺍﺳﺖ ﺑﻠﻜﻪ ﻓﻘﻂ ﺍﺳﺘﺮﺍﻕ ﺳﻤﻊ‬
    ‫ﺑﻴﻦ ﻣﺸﺘﺮﻱ ﻭ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺭﺍ ﻛﻤﻲ ﻣﺸﻜﻞ ﺗﺮ ﻛﺮﺩﻩ ﺍﺳﺖ‪ .‬ﮔﻮﺍﻫﻴﻨﺎﻣﻪ ﺳﻤﺖ ﻣﺸﺘﺮﻱ ﻳﻜﻲ ﺍﺯ‬
    ‫ﺧﺼﻮﺻﻴﺎﺕ ﺍﺧﺘﻴﺎﺭﻱ ﭘﺮﻭﺗﻜﻞ ‪ SSL‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﭘﻴﺎﺩﻩ ﺳﺎﺯﻱ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﻳﻌﻨﻲ ﻳﻚ ﺍﺣﺮﺍﺯ ﻫﻮﻳﺖ‬
    ‫ﺩﻭ ﻃﺮﻓﻪ ﻛﻪ ﺑﺎﻳﺪ ﺍﻧﺠﺎﻡ ﺷﻮﺩ‪).‬ﮔﻮﺍﻫﻴﻨﺎﻣﻪ ﻣﺸﺘﺮﻱ ﺑﺎﻳﺪ ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﻫﻮﻳﺖ ﻣﺤﺮﺯ ﺷﺪﻩ ﺗﻮﺳﻂ‬
    ‫ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺍﻣﻀﺎ ﺷﻮﺩ( ‪ .‬ﺍﮔﺮ ﭼﻪ ﺗﻌﺪﺍﺩ ﻛﻤﻲ ﺍﺯ ﺳﺎﻳﺘﻬﺎﻱ ﺭﻭﻱ ﺍﻳﻨﺘﺮﻧﺖ ﺍﻣﺮﻭﺯﻩ ﺍﻳﻦ ﻛﺎﺭ ﺭﺍ‬
    ‫ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﻨﺪ‪.‬‬
    ‫ﻧﺴﺨﻪ ﻗﺪﻳﻤﻲ ‪ ، SSL‬ﻻﻳﻪ ﺍﻣﻨﻴﺖ ﺍﻧﺘﻘﺎﻝ ) ‪ ( Transport Layer Security‬ﺑﻮﺩ‪ SSL/TSL .‬ﺍﺯ‬
    ‫ﻃﺮﻳﻖ ﭘﺮﻭﺕ ‪ 443‬ﻋﻤﻞ ﻣﻲ ﻛﻨﻨﺪ‪.‬‬

    ‫ﻣﺪﻳﺮﻳﺖ ﻭﺿﻌﻴﺘﻬﺎ؛ ‪Cookies‬‬


    ‫ﻫﻤﺎﻥ ﻃﻮﺭ ﻛﻪ ﻣﻲ ﺩﺍﻧﻴﺪ ﺩﺭ ﺣﻘﻴﻘﺖ ‪ HTTP‬ﻳﻚ ﭘﺮﻭﺗﻜﻞ ‪ Stateless‬ﻣﻲ ﺑﺎﺷﺪ‪ .‬ﻳﻌﻨﻲ ﻫﻴﭻ ﻭﺿﻌﻴﺘﻲ‬
    ‫ﺍﺯ ﻧﺸﺴﺘﻬﺎ ﺑﻪ ﻭﺳﻴﻠﻪ ﺧﻮﺩ ﭘﺮﻭﺗﻜﻞ ﺣﻤﺎﻳﺖ ﻧﻤﻲ ﺷﻮﺩ‪ .‬ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ ﺍﮔﺮ ﺷﻤﺎ ﺑﺮﺍﻱ ﺩﺭﺧﻮﺍﺳﺖ‬
    ‫ﻣﻨﺒﻌﻲ ﻛﻪ ﻛﺮﺩﻩ ﺍﻳﺪ ﻳﻚ ﭘﺎﺳﺦ ﻧﺎﻣﻌﺘﺒﺮﻱ ﺩﺭﻳﺎﻓﺖ ﻛﻨﻴﺪ ﺩﻭﺑﺎﺭﻩ ﺍﻗﺪﺍﻡ ﺑﻪ ﺩﺭﺧﻮﺍﺳﺖ ﻓﻮﻕ ﻣﻲ ﻛﻨﻴﺪ ﺍﻣﺎ‬
    ‫ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺍﻳﻦ ﺩﺭﺧﻮﺍﺳﺖ ﺭﺍ ﺑﻪ ﺻﻮﺭﺕ ﻛﺎﻣﻼ ﺟﺪﺍﮔﺎﻧﻪ ﻭ ﻭﺍﺣﺪ ﻣﻼﺣﻈﻪ ﻣﻲ ﻛﻨﺪ‪ .‬ﺑﺮﺍﻱ ﺭﻓﻊ‬
    ‫ﺍﻳﻦ ﺿﻌﻒ ﻣﻜﺎﻧﻴﺰﻣﻬﺎﻳﻲ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻛﻪ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﺍﻳﻦ ﭘﺮﻭﺗﻜﻞ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﭘﺮﻭﺗﻜﻞ‬
    ‫‪ Stateful‬ﻋﻤﻞ ﻛﻨﺪ‪ .‬ﻳﻜﻲ ﺍﺯ ﻣﻜﺎﻧﻴﺴﻢ ﻫﺎﻳﻲ ﻛﻪ ﺍﻣﺮﻭﺯﻩ ﺑﻪ ﻃﻮﺭ ﮔﺴﺘﺮﺩﻩ ﺍﻱ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ‬
    ‫‪ Cookie‬ﻫﺎ ﻣﻲ ﺑﺎﺷﻨﺪ ﻛﻪ ﺑﻪ ﻋﻨﻮﺍﻥ ﺑﺨﺸﻲ ﺍﺯ ﺩﺭﺧﻮﺍﺳﺖ – ﭘﺎﺳﺦ ﻫﺎﻱ ‪ HTTP‬ﺑﻴﻦ ﺳﺮﻭﺭ ﻭ‬
    ‫ﻛﻼﻳﻨﺖ ﺭﺩﻭ ﺑﺪﻝ ﻣﻲ ﺷﻮﻧﺪ ﻭ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻭ ﻣﺸﺘﺮﻱ ﺍﻳﻨﮕﻮﻧﻪ ﻓﻜﺮ ﻛﻨﻨﺪ ﻛﻪ‬

    ‫‪1‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

    ‫ﺁﻧﻬﺎ ﺍﺯ ﻃﺮﻳﻖ ﻳﻚ ﺣﻮﺯﻩ ﻣﺠﺎﺯﻱ ﺑﻪ ﻫﻢ ﻣﺘﺼﻞ ﺷﺪﻩ ﺍﻧﺪ‪) .‬ﺍﻳﻦ ﻣﻜﺎﻧﻴﺴﻢ ﺑﻪ ﺻﻮﺭﺕ ﻛﺎﻣﻞ ﺗﺮﻱ ﺩﺭ‬
    ‫‪ RFC 2965‬ﺑﻴﺎﻥ ﺷﺪﻩ ﺍﺳﺖ (‪ .‬ﻛﻮﻛﻴﻬﺎ ﺑﻬﺘﺮﻳﻦ ﺭﻭﺷﻲ ﺍﺭﺗﺒﺎﻃﻲ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﻣﻲ ﺑﺎﺷﻨﺪ ﺑﺮﺍﻱ‬
    ‫ﺍﻳﻦ ﻛﻪ ﻫﺮ ﻛﺎﺭﺑﺮﻱ ﺑﻪ ﻭﺳﻴﻠﻪ ﻳﻚ ﻧﺸﺎﻧﻪ ﺑﺎ ﻳﻚ ﺳﺎﻳﺖ ﻭﺏ ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍﺭ ﻛﻨﺪ ﻭ ﺗﺎ ﻫﺮ ﺯﻣﺎﻧﻲ ﻛﻪ ﺍﻳﻦ‬
    ‫ﻧﺸﺎﻧﻪ ﺑﻪ ﻫﻤﺮﺍﻩ ﺩﺭﺧﻮﺍﺳﺖ ﻛﺎﺭﺑﺮ ﻓﺮﺳﺘﺎﺩﻩ ﻣﻲ ﺷﻮﺩ ‪ ،‬ﺁﻥ ﻛﺎﺭﺑﺮ ﻣﺠﺎﺯ ﺑﻪ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺳﺎﻳﺖ ﻣﻮﺭﺩ‬
    ‫ﻧﻈﺮ ﻣﻲ ﺑﺎﺷﺪ‪.‬ﺁﻧﻬﺎ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﻫﻢ ﺩﺭ ﺣﺎﻓﻈﻪ ﺫﺧﻴﺮﻩ ﺷﻮﻧﺪ ﻭ ﻫﻢ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﺑﻪ ﺻﻮﺭﺕ ﭘﺎﻳﺪﺍﺭﺗﺮﻱ ﺩﺭ‬
    ‫ﺩﻳﺴﻚ ﺳﺨﺖ ﻣﺎﻧﺪﮔﺎﺭ ﺑﺎﺷﻨﺪ‪ .‬ﻛﻮﻛﻴﻬﺎ ﻫﺮﮔﺰ ﺑﺪﻭﻥ ﻋﻴﺐ ﻭ ﻧﻘﺺ ﻧﻤﻲ ﺑﺎﺷﻨﺪ ) ﺑﻪ ﺧﺼﻮﺹ ﻫﻨﮕﺎﻣﻲ‬
    ‫ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﺿﻌﻴﻔﻲ ﺳﺎﺧﺘﻪ ﻣﻲ ﺷﻮﻧﺪ ( ﻭ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺁﻧﻬﺎ ﭘﻴﺎﻣﺪﻫﺎﻱ ﺯﻳﺎﺩﻱ ﺭﺍ ﺑﺮﺍﻱ ﺍﻣﻨﻴﺖ‬
    ‫ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﺩﺍﺭﺩ ‪ .‬ﻭﻟﻲ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﻫﻴﭻ ﻣﻜﺎﻧﻴﺰﻡ ﺑﻬﺘﺮ ﺩﻳﮕﺮﻱ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﺸﻜﻞ ﻭﺟﻮﺩ‬
    ‫ﻧﺪﺍﺭﺩ‪.‬‬

    ‫ﻣﺸﺘﺮﻱ ﻫﺎﻱ )‪ ( Clients‬ﻭﺏ‬


    ‫ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﺍﺳﺘﺎﻧﺪﺍﺭﺩ ﺑﺮﺍﻱ ﻣﺸﺘﺮﻱ ‪ ،‬ﻣﺮﻭﺭﮔﺮ ﻭﺏ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺍﺯ ﻣﻴﺎﻥ ﭘﺮﻭﺗﻜﻞ ‪HTTP‬‬
    ‫ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍﺭ ﻣﻲ ﻛﻨﺪ ﻭ ﻣﺘﻮﻥ ‪ HTML‬ﺍﻱ ﻛﻪ ﺩﺭﻳﺎﻓﺖ ﻣﻲ ﻛﻨﺪ ﺭﺍ ﺗﺮﺟﻤﻪ ﻛﺮﺩﻩ ﻭ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ‪.‬‬
    ‫ﺑﻪ ﺻﻮﺭﺕ ﻛﻠﻲ ‪ HTML‬ﻭ ‪ HTTP‬ﻣﺎﻣﻮﺭ ﺷﺪﻩ ﺍﻧﺪ ﻛﻪ ﺩﺍﺩﻩ ﻫﺎﻳﻲ ﻛﻪ ﺑﻪ ﻭﺳﻴﻠﻪ ﺳﺮﻭﺭ ﭘﺮﺩﺍﺯﺵ‬
    ‫ﺷﺪﻩ ﺍﻧﺪ ﺑﺮﺍﻱ ﻣﺸﺘﺮﻱ ﻭﺏ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﺷﻮﺩ ‪.‬‬
    ‫ﻣﺎﻧﻨﺪ ‪ ، HTTP‬ﻣﺮﻭﺭﮔﺮ ﻭﺏ ﻧﻴﺰ ﺧﻴﻠﻲ ﺳﺎﺩﻩ ﺑﻪ ﻧﻈﺮ ﻣﻲ ﺭﺳﺪ‪ .‬ﺗﻮﺳﻌﻪ ﭘﺬﻳﺮﻱ ‪ HTML‬ﺍﻳﻦ ﺍﻣﻜﺎﻥ‬
    ‫ﺭﺍ ﺑﺮﺍﻱ ﻣﺎ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺑﺘﻮﺍﻧﻴﻢ ﻣﺘﻮﻥ ﺍﺳﺘﺎﺗﻴﻚ ﻭ ﺩﻳﻨﺎﻣﻴﻚ ﺭﺍ ﺩﺭ ﺁﻥ ﺑﻴﺎﻣﻴﺰﻳﻢ‪ .‬ﺍﺯ ﻣﺤﺘﻮﺍﻫﺎﻱ‬
    ‫ﻓﻌﺎﻝ ﺑﻪ ﻛﺎﺭ ﺭﻓﺘﻪ ﻣﻲ ﺗﻮﺍﻥ ‪ ActiveX‬ﻫﺎ ﻭ ‪ Java‬ﺭﺍ ﻧﺎﻡ ﺑﺮﺩ‪ .‬ﮔﻨﺠﺎﻧﺪﻥ ﻳﻚ ‪ ActivX‬ﺩﺭ ‪HTML‬‬
    ‫ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺩﺭ ﺫﻳﻞ ﻣﺸﺎﻫﺪﻩ ﻛﻨﻴﺪ‪:‬‬
    ‫”‪<object id=”scr‬‬
    ‫>”‪classid=”clsid:09243BD5-48AA-11D2-092267C3FBC‬‬
    ‫>‪</object‬‬

    ‫ﺩﺭ ﻛﻠﻤﺎﺕ ﻭﺏ ‪ ،‬ﻫﻤﻪ ﺣﺮﻭﻑ ﺩﺭ ﻛﺪ ‪ ASCII‬ﻣﻲ ﺑﺎﺷﺪ‪ .‬ﻭﻗﺘﻲ ﻳﻚ ﻣﺘﺮﺟﻢ ﻣﺮﻭﺭﮔﺮ ﻭﺏ ﺑﺎ ﻳﻚ‬
    ‫ﺑﺮﭼﺴﺐ ‪ object‬ﺑﺮﺧﻮﺭﺩ ﻛﺮﺩ ﻣﺘﻮﺟﻪ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺑﺎﻳﺪ ﺁﻥ ﺭﺍ ﺍﺯ ﻳﻚ ﺳﺎﻳﺖ ﺩﻭﺭ ﺩﺍﻧﻠﻮﺩ ﻛﻨﺪ ﻭ ﻳﺎ ﺍﺯ‬
    ‫ﺑﻪ ﺻﻮﺭﺕ ﻣﺴﺘﻘﻴﻢ ﺍﺯ ﻛﺎﻣﭙﻴﻮﺗﺮ ﻣﺤﻠﻲ ﺑﺎﺭﮔﺬﺍﺭﻱ ﻛﻨﺪ ﻭ ﺳﭙﺲ ﺁﻥ ﺭﺍ ﺍﺟﺮﺍ ﻛﻨﺪ‪ .‬ﺍﻟﺒﺘﻪ ﺍﻳﻦ ‪ActivX‬‬
    ‫ﺩﺭ ﺻﻮﺭﺗﻲ ﺍﺟﺮﺍ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﻳﺎ ﻗﺒﻼ ﺩﺭ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺷﻤﺎ ﻧﺼﺐ ﺷﺪﻩ ﺑﺎﺷﺪ ﻭ ﻳﺎ ﺍﺣﺮﺍﺯ ﻫﻮﻳﺖ ﺷﺪﻩ‬
    ‫ﺑﺎﺷﺪ ﻛﻪ ﺍﻳﻦ ﻛﺎﺭ ﺑﻪ ﻭﺳﻴﻠﻪ ‪ Microsoft Authenticode‬ﺍﻧﺠﺎﻡ ﻣﻲ ﺷﻮﺩ‪ .‬ﻳﻌﻨﻲ ﺩﺭ ﺣﻴﻦ ﺍﺟﺮﺍﻱ ﺁﻥ‬
    ‫ﻳﻚ ﺻﻔﺤﻪ ﺑﺎﺯ ﺷﺪﻩ ﻭ ﺍﻣﻀﺎﻱ ﺩﻳﺠﻴﺘﺎﻝ ﺷﺨﺺ ﺳﺎﺯﻧﺪﻩ ﻛﺪ ﺭﺍ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ ﻭ ﺍﺯ ﺷﻤﺎ ﺳﻮﺍﻝ‬
    ‫ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺁﻳﺎ ﻓﺎﻳﻞ ﻣﻮﺭﺩ ﻧﻈﺮ ﺭﺍ ﺍﺟﺮﺍ ﻛﻨﺪ ﻳﺎ ﺧﻴﺮ ‪ .‬ﺍﮔﺮ ﻛﺎﺭﺑﺮ ﺟﻮﺍﺏ ﻣﺜﺒﺖ ﺩﻫﺪ ﻛﺪ ﺍﺟﺮﺍ ﻣﻲ ﺷﻮﺩ‪.‬‬
    ‫ﻻﺯﻡ ﺑﻪ ﺫﻛﺮ ﺍﺳﺖ ﻛﻪ ﺍﺟﺮﺍﻱ ﺑﺴﻴﺎﺭﻱ ﺍﺯ ‪ ActiveX‬ﻫﺎ ﻣﻲ ﺗﻮﺍﻥ ﺍﻣﻨﻴﺖ ﻳﻚ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﻪ ﺧﻄﺮ‬
    ‫ﺑﻴﺎﻧﺪﺍﺯﺩ‪ .‬ﭘﺲ ﻫﻴﭽﮕﺎﻩ ﺑﻪ ﺍﻳﻨﮕﻮﻧﻪ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻳﻲ ﻛﻪ ﻧﺎﺁﺷﻨﺎ ﻭ ﻧﺎ ﻣﺸﺨﺺ ﻣﻲ ﺑﺎﺷﻨﺪ ﺍﺟﺎﺯﻩ ﺍﺟﺮﺍ ﺷﺪﻥ‬
    ‫ﻧﺪﻫﻴﺪ‪.‬‬

    ‫‪2‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

    ‫‪ HTML‬ﻳﻚ ﺯﺑﺎﻥ ﺗﻮﺍﻧﺎ ﻣﻲ ﺑﺎﺷﺪ ﺍﻣﺎ ﻣﺤﺪﻭﺩﻳﺖ ﻫﺎﻱ ﺯﻳﺎﺩﻱ ﺩﺍﺭﺩ‪ .‬ﺑﻌﺪ ﺍﺯ ﺳﺎﻟﻬﺎ ‪ ،‬ﺗﻜﻨﻮﻟﻮﮊﻳﻬﺎﻱ‬
    ‫ﺟﺪﻳﺪﻱ ﻣﺎﻧﻨﺪ ‪ HTML‬ﺩﻳﻨﺎﻣﻴﻚ ﻭ ‪ Style Sheet‬ﻫﺎ ﭘﺪﻳﺪﺍﺭ ﺷﺪﻧﺪ ﺗﺎ ﭼﺎﺷﻨﻲ ﺑﺮﺍﻱ ﻧﻤﺎﻳﺶ ﻣﺤﺘﻮﻳﺎﺕ‬
    ‫ﺻﻔﺤﺎﺕ ﻭﺏ ﺑﺎﺷﻨﺪ‪ .‬ﺍﻣﺎ ﺗﻐﻴﻴﺮﺍﻥ ﺑﻨﻴﺎﺩﻱ ﺗﺮﻱ ﻧﻴﺰ ﺩﺭ ﺣﺎﻝ ﻭﻗﻮﻉ ﺍﺳﺖ‪eXtensible ) XML .‬‬
    ‫‪ ( Markup Language‬ﺑﻪ ﺁﻫﺴﺘﮕﻲ ﺟﺎﻳﮕﺰﻳﻦ ‪ HTML‬ﻣﻲ ﺷﻮﺩ‪.‬‬
    ‫ﺑﺎﻻﺧﺮﻩ ﺍﻳﻨﻜﻪ ﻣﺮﻭﺭﮔﺮ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎ ﺩﻳﮕﺮ ﭘﺮﻭﺗﻜﻠﻬﺎ ﻧﻴﺰ ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍ ﻛﻨﺪ‪ .‬ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﻪ‬
    ‫ﻭﺳﻴﻠﻪ ﭘﺮﻭﺗﻜﻞ ‪ SSL‬ﺑﺎ ﻳﻚ ﺳﺮﻭﺭ ﻭﺏ ﺍﺭﺗﺒﺎﻁ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ‪ .‬ﻭ ﻫﻤﭽﻨﻴﻦ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎ ﺩﻳﮕﺮ ﭘﺮﻭﺗﻜﻠﻬﺎ‬
    ‫ﻣﺎﻧﻨﺪ ‪ FTP‬ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍ ﻛﻨﺪ‪ .‬ﺑﻪ ﺩﺭﺳﺘﻲ ﻛﻪ ﻣﺮﻭﮔﺮ ﻭﺏ ﻳﻜﻲ ﺍﺯ ﺑﺰﺭﮔﺘﺮﻳﻦ ﺳﻼﺡ ﻫﺎﻱ ﻗﺎﺑﻞ‬
    ‫ﺩﺳﺘﺮﺱ ﺑﺮﺍﻱ ﻧﻔﻮﺫﮔﺮﺍﻥ ﻭﺏ ﻣﻲ ﺑﺎﺷﺪ‪.‬‬

    ‫ﺳﺮﻭﺭ ﻭﺏ‬
    ‫ﺳﺮﻭﺭ ﻭﺏ ﺩﺭ ﺗﻌﺮﻳﻒ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ‪ HTTP‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭﺧﻮﺍﺳﺖ ﻫﺎ ﺭﺍ ﺑﺮﺍﻱ‬
    ‫ﻣﻨﺎﺑﻊ ﺩﺭﻳﺎﻓﺖ ﻣﻲ ﻛﻨﺪ ﻭ ﺑﻌﻀﻲ ﺍﺯ ﺗﺠﺰﻳﻪ ﻫﺎ ﺭﺍ ﺭﻭﻱ ﺁﻥ ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﺪ ﺗﺎ ﻣﻄﻤﺌﻦ ﺷﻮﺩ ﻛﻪ ﺍﻳﻦ ﻣﻨﺒﻊ‬
    ‫ﻗﺎﺑﻞ ﺩﺳﺘﺮﺱ ﻣﻲ ﺑﺎﺷﺪ ﻳﺎ ﺧﻴﺮ ﻭ ﺳﭙﺲ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﭘﺮﺩﺍﺯﺵ ‪ ،‬ﺗﺤﻮﻳﻞ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻣﻲ ﺩﻫﺪ ﻭ‬
    ‫ﻭﻗﺘﻲ ﻛﻪ ﺑﺮﻧﺎﻣﻪ ﭘﺎﺳﺦ ﺭﺍ ﺑﺮﮔﺮﺩﺍﻧﺪ ‪ ،‬ﺳﺮﻭﻳﺲ ‪ HTTP‬ﺁﻥ ﺭﺍ ﺑﻪ ﻣﺸﺘﺮﻱ ﺗﺤﻮﻳﻞ ﻣﻲ ﺩﻫﺪ‪.‬‬
    ‫ﺍﻣﺮﻭﺯﻩ ﺳﺮﻭﺭ ﻫﺎﻱ ﻣﺤﺒﻮﺏ ﻗﺎﺑﻞ ﺩﺳﺘﺮﺱ ﺯﻳﺎﺩﻱ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻣﺎﻧﻨﺪ ‪Apache Software ِ IIS‬‬
    ‫ﺳﺮﻭﺭ ‪ ) Apache HTTP‬ﻛﻪ ﺑﻪ ﺍﺧﺘﺼﺎﺭ ‪ Apache‬ﮔﻔﺘﻪ ﻣﻲ ﺷﻮﺩ ( ‪،‬‬ ‫‪، Foundation‬‬
    ‫‪ AOL/Netscaps Enterprise‬ﻭ ‪. Sun iPlant‬‬
    ‫ﺍﮔﺮ ﭼﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ﺧﻴﻠﻲ ﺳﺎﺩﻩ ﺑﻪ ﻧﻈﺮ ﻣﻲ ﺁﻳﺪ ‪ ،‬ﺍﻣﺎ ﻣﺎ ﺩﻭﺑﺎﺭﻩ ﺑﺎﻳﺪ ﺩﺭﺑﺎﺭﻩ ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ‬
    ‫ﺯﻳﺎﺩﻱ ﻛﻪ ﺩﺭ ﺁﻧﻬﺎ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻭ ﻃﻲ ﺳﺎﻟﻴﺎﻥ ﺩﺭﺍﺯ ﻛﺸﻒ ﺷﺪﻩ ﺍﻧﺪ ﺑﺤﺚ ﻛﻨﻴﻢ‪ .‬ﺑﻪ ﻃﻮﺭﻱ ﻛﻪ‬
    ‫ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺩﺭ ﺳﺮﻭﺭ ﻫﺎﻱ ﻭﺏ ﻳﻜﻲ ﺍﺯ ﺑﺮﺗﺮﻳﻦ ﻣﺴﺎﺋﻞ ﺍﻣﻨﻴﺘﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺍﺯ ﺳﺎﻝ ‪١٩٩٠‬‬
    ‫ﺑﻪ ﺍﻳﻦ ﻃﺮﻑ ﺑﻴﺎﻥ ﺷﺪﻩ ﺍﺳﺖ‪.‬‬

    ‫ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻭﺏ‬


    ‫ﻫﺴﺘﻪ ﺍﺻﻠﻲ ﺳﺎﻳﺘﻬﺎﻱ ﻭﺏ ﻗﺴﻤﺖ ﻣﻨﻄﻘﻲ ﺳﻤﺖ ﺳﺮﻭﺭ ﻣﻲ ﺑﺎﺷﺪ‪ ) .‬ﺍﮔﺮ ﭼﻪ ﻣﻨﻄﻖ ﺳﻤﺖ ﻣﺸﺘﺮﻱ‬
    ‫ﻫﻨﻮﺯ ﺑﺎ ﻣﺮﻭﺭ ﮔﺮ ﻭﺏ ﺁﻣﻴﺨﺘﻪ ﻣﻲ ﺑﺎﺷﺪ (‪ .‬ﺍﻳﻦ ﻣﺪﻝ ﺑﻪ ‪ n-tire‬ﻣﺸﻬﻮﺭ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﻪ ﻃﻮﺭ ﻣﻌﻤﻮﻝ‬
    ‫ﺷﺒﻴﻪ ﻳﻚ ﺳﺮﻭﺭ ‪ HTTP‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﺩﻳﻨﺎﻣﻴﻚ ﻃﺮﺍﺣﻲ ﺷﺪﻩ ﺍﺳﺖ ﻭ ﺗﻘﺮﻳﺒﺎ ﺑﻪ ﺻﻮﺭﺕ‬
    ‫ﻳﻚ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻳﻜﭙﺎﺭﭼﻪ ﻭ ‪ Stateful‬ﻛﻪ ﺑﻪ ﻛﺎﺭﺑﺮﻫﺎ ﺍﺟﺎﺯﻩ ﻣﻲ ﺩﻫﺪ ﻛﻪ ﺑﺎ ﺁﻥ ﺗﻌﺎﻣﻞ ﺩﺍﺷﺘﻪ‬
    ‫ﺑﺎﺷﻨﺪ‪.‬‬
    ‫ﻣﻔﻬﻮﻡ ‪ n-tire‬ﻳﺎ ‪ n‬ﻻﻳﻪ ﺍﻱ ﺑﺮﺍﻱ ﻓﻬﻤﻴﺪﻥ ﻭ ﺩﺭﻙ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻣﻬﻢ ﻣﻲ ﺑﺎﺷﺪ ﻻﻳﻪ ﺑﺮﻧﺎﻣﻪ‬
    ‫ﻛﺎﺭﺑﺮﺩﻱ ﻣﻲ ﺗﻮﺍﻧﺪ ﺧﻮﺩﺵ ﺷﺎﻣﻞ ﭼﻨﺪﻳﻦ ﻻﻳﻪ ﺩﻳﮕﺮ ﺑﺎﺷﺪ‪ .‬ﺍﻣﺎ ﻧﻤﺎﻳﺶ ﻋﻤﻮﻣﻲ ﺁﻥ ﺑﻪ ﺻﻮﺭﺕ‬
    ‫‪3‬‬
    ‫ﻣﻌﻤﺎﺭﻱ ‪ ٣‬ﻻﻳﻪ ﺍﻱ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺑﻪ ﻧﺎﻣﻬﺎﻱ ﻻﻳﻪ ﻧﻤﺎﻳﺶ‪ ، ١‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ‪ 2‬ﻭ ﻻﻳﻪ ﺩﺍﺩﻩ‬

    ‫‪1 - Presentation Layer‬‬

    ‫‪3‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

    ‫ﻣﻌﺮﻭﻑ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭ ﺷﻜﻞ ‪ ١‬ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺍﺟﺎﺯﻩ ﺑﺪﻫﻴﺪ ﻛﻪ ﺁﻧﻬﺎ ﺭﺍ ﺑﻪ ﻃﻮﺭ ﺧﻼﺻﻪ‬
    ‫ﺑﻴﺎﻥ ﻛﻨﻴﻢ‪.‬‬
    ‫ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺗﺴﻬﻴﻼﺗﻲ ﺭﺍ ﺑﺮﺍﻱ ﮔﺮﻓﺘﻦ ﻭﺭﻭﺩﻱ ﻫﺎ ﻭ ﻧﻤﺎﻳﺶ ﻧﺘﻴﺠﻪ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ‪ .‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ ‪ ،‬ﺩﺍﺩﻩ‬
    ‫ﻫﺎ ﺭﺍ ﺍﺯ ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺩﺭﻳﺎﻓﺖ ﻛﺮﺩﻩ ﻭ ﻛﺎﺭﻫﺎﻳﻲ ﺭﺍ ﺭﻭﻱ ﺁﻥ ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﺪ‪ .‬ﻫﺮ ﺯﻣﺎﻥ ﻛﻪ ﻧﻴﺎﺯ ﺑﻪ ﻛﻤﻚ‬
    ‫ﻻﻳﻪ ﺩﺍﺩﻩ ﺑﺎﺷﺪ‪ ،‬ﺩﺍﺩﻩ ﻫﺎ ﺑﻪ ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺑﻪ ﻋﻨﻮﺍﻥ ﻧﺘﻴﺠﻪ ﻛﺎﺭ ﺑﺮ ﮔﺮﺩﺍﻧﺪﻩ ﻣﻲ ﺷﻮﺩ‪ .‬ﺳﺮﺍﻧﺠﺎﻡ ﻻﻳﻪ‬
    ‫ﺩﺍﺩﻩ ﻳﻚ ﻣﻨﺒﻊ ﻣﺎﻧﺪﮔﺎﺭﻱ ﺍﺯ ﺩﺍﺩﻩ ﻫﺎ ﺭﺍ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﻣﻲ ﺗﻮﺍﻥ ﺭﻭﻱ ﺁﻧﻬﺎ ﺟﺴﺘﺠﻮ ﺍﻧﺠﺎﻡ ﺩﺍﺩ ﻭ‬
    ‫ﻫﺮ ﺩﻓﻌﻪ ﺑﻪ ﻭﺳﻴﻠﻪ ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﻣﻲ ﺷﻮﺩ‪ .‬ﻻﻳﻪ ﺩﺍﺩﻩ ﺍﻳﻦ ﺍﻣﻜﺎﻥ ﺭﺍ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ ﻛﻪ‬
    ‫ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺑﺪﻭﻥ ﺍﻳﻨﻜﻪ ﻧﻴﺎﺯﻱ ﺑﻪ ﻛﺪﻫﺎﻱ ﻣﺸﻜﻞ ﺑﺮﻧﺎﻣﻪ ﻧﻮﻳﺴﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ ﺑﺘﻮﺍﻧﺪ ﺁﻥ ﺭﺍ ﺑﻪ ﺁﺳﺎﻧﻲ‬
    ‫ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﻛﻨﺪ ﻭ ﺍﺯ ﺁﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﺎﻳﺪ‪.‬‬
    ‫ﺑﺮﺍﻱ ﺍﻳﻨﻜﻪ ﺑﻔﻬﻤﻴﺪ ﺍﻳﻨﻬﺎ ﭼﮕﻮﻧﻪ ﺑﺎ ﻫﻢ ﻛﺎﺭ ﻣﻲ ﻛﻨﻨﺪ ﺍﺟﺎﺯﻩ ﺑﺪﻫﻴﺪ ﻣﺜﺎﻟﻲ ﺭﺍ ﺑﻴﺎﻥ ﻛﻨﻴﻢ‪ .‬ﻳﻚ ﺑﺮﻧﺎﻣﻪ‬
    ‫ﻛﺎﺭﺑﺮﺩﻱ ﺗﺤﺖ ﻭﺏ ﺳﺎﺩﻩ ﺭﺍ ﻓﺮﺽ ﻛﻨﻴﺪ ﻛﻪ ﺗﻤﺎﻡ ﻓﺎﻳﻠﻬﺎﻱ ﻣﺤﻠﻲ ﺩﺭﻭﻥ ﻫﺎﺭﺩ ﺳﺮﻭﺭ ﺭﺍ ﺑﺮﺍﻱ ﻭﺟﻮﺩ‬
    ‫ﻣﺘﻨﻲ ﻛﻪ ﻛﺎﺭﺑﺮ ﺩﺭﺧﻮﺍﺳﺖ ﻛﺮﺩﻩ ﺍﺳﺖ ‪ ،‬ﺟﺴﺘﺠﻮ ﻣﻲ ﻛﻨﺪ ﻭ ﻧﺘﻴﺠﻪ ﺭﺍ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ‪ .‬ﻻﻳﻪ ﻧﻤﺎﻳﺶ‬
    ‫ﺷﺎﻣﻞ ﻳﻚ ﻓﺮﻡ ﺑﺎ ﻓﻴﻠﺪﻫﺎﻳﻲ ﺑﺮﺍﻱ ﺩﺭﻳﺎﻓﺖ ﻣﺘﻦ ﻭﺭﻭﺩﻱ ﺗﻮﺳﻂ ﻛﺎﺭﺑﺮ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺍﻳﻦ ﻣﺘﻦ ﺑﺎﻳﺪ‬
    ‫ﻣﻮﺭﺩ ﺟﺴﺘﺠﻮ ﻗﺮﺍﺭ ﮔﻴﺮﺩ‪ .‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﻳﻚ ﺑﺮﻧﺎﻣﻪ ﺍﺟﺮﺍﻳﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺭﺷﺘﻪ ﻭﺭﻭﺩﻱ ﺭﺍ ﺩﺭﻳﺎﻓﺖ‬
    ‫ﻛﺮﺩﻩ ﻭ ﭘﺲ ﺍﺯ ﺍﻳﻨﻜﻪ ﻣﻄﻤﺌﻦ ﺷﺪ ﻛﻪ ﺍﻳﻦ ﺭﺷﺘﻪ ﺣﺎﻭﻱ ﻛﺎﺭﺍﻛﺘﺮﻫﺎﻱ ﻣﺨﺮﺏ ﻧﻤﻲ ﺑﺎﺷﺪ ‪ ،‬ﺍﺭﺗﺒﺎﻁ‬
    ‫ﺩﻫﻨﺪﻩ ﻣﻨﺎﺳﺐ ﺑﻪ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺭﺍ ﺑﺮﺍﻱ ﺍﻳﺠﺎﺩ ﻳﻚ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﻻﻳﻪ ﺩﺍﺩﻩ ‪ ،‬ﻓﺮﺍﺧﻮﺍﻧﻲ ﻣﻲ ﻛﻨﺪ‪ .‬ﺳﺮﺍﻧﺠﺎﻡ‬
    ‫ﻳﻚ ‪ Query‬ﺑﻪ ﻭﺳﻴﻠﻪ ﻭﺭﻭﺩﻱ ﺳﺎﺧﺘﻪ ﻣﻲ ﺷﻮﺩ‪ .‬ﻻﻳﻪ ﺩﺍﺩﻩ ﻣﻤﻜﻦ ﺍﺳﺖ ﺷﺎﻣﻞ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺍﻱ ﺑﺎﺷﺪ‬
    ‫ﻛﻪ ﺷﺎﺧﺼﻲ ﺍﺯ ﻛﻠﻴﻪ ﻓﺎﻳﻠﻬﺎﻱ ﺩﺭﻭﻥ ﻣﺎﺷﻴﻦ ﻣﺤﻠﻲ ﺭﺍ ﺩﺭ ﺧﻮﺩ ﺫﺧﻴﺮﻩ ﻛﺮﺩﻩ ﺍﺳﺖ ﻭ ﺑﻪ ﺻﻮﺭﺕ‬
    ‫‪ Real-Time‬ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﻣﻲ ﺷﻮﺩ‪ Query .‬ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﻣﺠﻤﻮﻋﻪ ﺍﻱ ﺍﺯ ﺭﻛﻮﺭﺩﻫﺎ ﺭﺍ ﺍﻧﺘﺨﺎﺏ‬
    ‫ﻛﺮﺩﻩ ﻭ ﺁﻧﻬﺎ ﺭﺍ ﺑﻪ ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺑﺮ ﻣﻲ ﮔﺮﺩﺍﻧﺪ‪ .‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺭﻛﻮﺭﺩﻫﺎﻱ ﺑﺮﮔﺸﺘﻲ ﺭﺍ ﺗﺮﺟﻤﻪ ﻭ ﺗﺤﻠﻴﻞ‬
    ‫ﻣﻲ ﻛﻨﺪ ﻭ ﺭﻛﻮﺭﺩﻫﺎﻳﻲ ﻛﻪ ﻻﺯﻡ ﻧﺒﻮﺩﻩ ﺍﻧﺪ ﺭﺍ ﺣﺬﻑ ﻛﺮﺩﻩ ﻭ ﺭﻛﻮﺭﺩﻫﺎﻱ ﺩﺭﺧﻮﺍﺳﺖ ﺷﺪﻩ ﺭﺍ ﺑﻪ ﻻﻳﻪ‬
    ‫ﻧﻤﺎﻳﺶ ﺑﺮ ﻣﻲ ﮔﺮﺩﺍﻧﺪ‪ .‬ﺍﻳﻦ ﺭﻛﻮﺭﺩﻫﺎ ﻧﻴﺰ ﺩﺭ ‪ HTML‬ﺁﻣﻴﺨﺘﻪ ﺷﺪﻩ ﺗﺎ ﺑﻪ ﺻﻮﺭﺕ ﻣﻨﺎﺳﺒﻲ ﺑﺮﺍﻱ‬
    ‫ﻛﺎﺭﺑﺮ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﺷﻮﺩ‪ .‬ﻭ ﺍﺯ ﺳﺮﻭﺭ ﻭﺏ ﺑﻪ ﺳﻤﺖ ﻣﺮﻭﺭﮔﺮ ﺑﺮﮔﺮﺩﺍﻧﺪﻩ ﻣﻲ ﺷﻮﺩ‪.‬‬
    ‫ﺧﻴﻠﻲ ﺍﺯ ﺗﻜﻨﻮﻟﻮﮊﻳﻬﺎﻱ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ‪ ،‬ﺑﻪ ﺻﻮﺭﺕ ﻭﺍﻗﻌﻲ ﻭ ﻋﻤﻠﻲ ﺍﺯ ﻳﻚ ﻳﺎ ﺑﻴﺸﺘﺮ ﺍﻳﻦ ﻻﻳﻪ ﻫﺎ‬
    ‫ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﻛﻨﻨﺪ ﺑﻨﺎﺑﺮﺍﻳﻦ ﺍﻏﻠﺐ ﺗﺸﺨﻴﺺ ﺩﺍﺩﻥ ﻻﻳﻪ ﻫﺎ ﺍﺯ ﻳﻜﺪﻳﮕﺮ ﻛﻤﻲ ﻣﺸﻜﻞ ﻣﻲ ﺑﺎﺷﺪ ﻭ ﺣﺘﻲ‬
    ‫ﺑﻌﻀﻲ ﻻﻳﻪ ﻫﺎ ﺩﺭﻭﻥ ﺑﻌﻀﻲ ﺩﻳﮕﺮ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ‪ .‬ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ ﺑﺮﻧﺎﻣﻪ ‪Active Server‬‬
    ‫‪ ( ASP ) Page‬ﺑﻪ ﺷﻤﺎ ﺍﺟﺎﺯﻩ ﻣﻲ ﺩﻫﺪ ﺩﺭﻭﻥ ﺻﻔﺤﺎﺕ ﻭﺏ ﺩﺭ ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺍﺯ ﻛﺪﻫﺎﻱ ﻻﻳﻪ ﻣﻨﻄﻘﻲ‬
    ‫ﺍﺳﺘﻔﺎﺩﻩ ﻛﻨﻴﺪ‪.‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﻧﻴﺎﺯﻱ ﻧﻴﺴﺖ ﻛﻪ ﻳﻚ ﻛﺪ ﺍﺟﺮﺍﻳﻲ ﻣﺠﺰﺍ ﺑﺮﺍﻱ ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻳﺘﺎﻥ ﺍﺯ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ‪،‬‬
    ‫ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ‪ ) .‬ﺍﮔﺮ ﭼﻪ ﺧﻴﻠﻲ ﺍﺯ ﺳﺎﻳﺘﻬﺎ ﺍﺯ ‪ COM object‬ﺑﺮﺍﻱ ﺩﺳﺘﺮﺳﻲ ﺑﻪ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺍﺳﺘﻔﺎﺩﻩ‬
    ‫ﻣﻲ ﻛﻨﻨﺪ ﻭ ﻣﻤﻜﻦ ﺍﺳﺖ ﻛﻪ ﺍﻳﻦ ﻛﺎﺭ ﺩﺭ ﺑﻌﻀﻲ ﻣﻮﺍﺭﺩ ﺍﻳﻤﻦ ﺗﺮ ﺑﺎﺷﺪ‪( .‬‬

    ‫‪2 - Logic Layer‬‬


    ‫‪3 - Data Layer‬‬

    ‫‪4‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

    ‫ﺗﻜﻨﻴﻜﻬﺎﻱ ﻣﺘﻨﻮﻉ ﺯﻳﺎﺩﻱ ﺑﺮﺍﻱ ﺍﻳﺠﺎﺩ ﺳﺎﻳﺘﻬﺎﻱ ﻭﺏ ﭼﻨﺪ ﻻﻳﻪ ﻭﺟﻮﺩ ﺩﺍﺭﺩ‪ .‬ﺑﻌﻀﻲ ﺍﺯ ﺍﻳﻦ ﺗﻜﻨﻴﻜﻬﺎ ﺩﺭ‬
    ‫ﺟﺪﻭﻝ ﺷﻤﺎﺭﻩ ‪ ١‬ﺁﻣﺪﻩ ﺍﺳﺖ‪.‬‬
    ‫ﺁﻧﭽﻪ ﻛﻪ ﻻﺯﻡ ﺍﺳﺖ ﺩﺭﺑﺎﺭﻩ ﺍﻳﻦ ﺗﻜﻨﻴﻜﻬﺎ ﺑﺪﺍﻧﻴﺪ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺁﻧﻬﺎ ﺷﺒﻴﻪ ﻳﻚ ﻓﺎﻳﻞ ﺍﺟﺮﺍﻳﻲ ﺗﺮﺟﻴﺤﺎ‬
    ‫ﺍﻳﺴﺘﺎ ﻛﺎﺭ ﻣﻲ ﻛﻨﻨﺪ‪ .‬ﺑﺮﺍﻱ ﻣﺜﺎﻝ ﻳﻚ ﺩﺭﺧﻮﺍﺳﺖ ﺑﺮﺍﻱ ﻳﻚ ﺍﺳﻜﺮﻳﭙﺖ ‪ PHP‬ﻣﻤﻜﻦ ﺍﺳﺖ ﺑﻪ ﺻﻮﺭﺕ‬
    ‫ﺯﻳﺮ ﺑﺎﺷﺪ‪:‬‬
    ‫‪http://www.somestie.net/article.php?id=425&format=html‬‬
    ‫ﻫﻤﺎﻧﻄﻮﺭ ﻛﻪ ﻣﺸﺎﻫﺪﻩ ﻣﻲ ﻛﻨﻴﺪ ‪ ،‬ﻓﺎﻳﻞ ‪ article.php‬ﺷﺒﻴﻪ ﻳﻚ ﻓﺎﻳﻞ ﺍﺟﺮﺍﻳﻲ ﻋﻤﻞ ﻣﻲ ﻛﻨﺪ ﻭ ﭘﺎﺭﺍﻣﺘﺮﻫﺎﻳﻲ‬
    ‫ﻛﻪ ﻫﻤﺮﺍﻩ ﺑﺎ ﺁﻥ ﺍﺭﺟﺎﻉ ﺩﺍﺩﻩ ﺷﺪﻩ ﺍﻧﺪ ﻣﺎﻧﻨﺪ ﻭﺭﻭﺩﻱ ﻫﺎ ﻭ ﻳﺎ ﺁﺭﮔﻮﻣﺎﻧﻬﺎﻱ ﺍﻳﻦ ﻓﺎﻳﻞ ﺍﺟﺮﺍﻳﻲ ﻣﻲ ﺑﺎﺷﻨﺪ‪.‬‬

    ‫ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ‬
    ‫ﻻﻳﻪ ﺩﺍﺩﻩ ﻣﻌﻤﻮﻻ ﺑﻪ ﻋﻨﻮﺍﻥ ﺁﺧﺮﻳﻦ ﻻﻳﻪ ﻳﻚ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻭﺏ ﺩﺭ ﻳﻚ ﻣﻌﻤﺎﺭﻱ ﭼﻨﺪﻻﻳﻪ ﺍﻱ ﻣﻲ ﺑﺎﺷﺪ‪.‬‬
    ‫ﺷﺎﻳﺪ ﺧﻴﻠﻲ ﺑﻴﺸﺘﺮ ﺍﺯ ﭼﻴﺰﻫﺎﻱ ﺩﻳﮕﺮ‪ ،‬ﭘﺎﻳﮕﺎﻫﻬﺎﻱ ﺩﺍﺩﻩ ﻣﺴﻮﻭﻝ ﺗﺤﻮﻝ ﻳﻚ ﻓﺮﻡ ﺍﺳﺘﺎﺗﻴﻚ ﺑﺮ ﭘﺎﻳﻪ ‪ HTML‬ﺑﻪ‬
    ‫ﻓﺮﻣﻬﺎﻱ ﺩﻳﻨﺎﻣﻴﻚ ‪ ،‬ﺑﺎﺯﻳﺎﺑﻲ ﺍﻃﻼﻋﺎﺕ ﺳﻴﺎﻝ ﻭ ﺭﻭﺍﻥ ﻭ ﺗﺠﺎﺭﺕ ﺍﻟﻜﺘﺮﻭﻧﻴﻚ ﺷﺪﻩ ﺑﺎﺷﻨﺪ‪.‬‬
    ‫ﺑﻴﺸﺘﺮﻳﻦ ﺯﻣﻴﻨﻪ ﻛﺎﺭﻱ ﭘﺎﻳﮕﺎﻫﻬﺎﻱ ﺩﺍﺩﻩ ﺩﺭ ﻭﺏ ﺭﻭﻱ ﺩﻭ ﻋﻨﻮﺍﻥ ﻣﻲ ﭼﺮﺧﺪ‪ SQL :‬ﻭ ‪ .Oracle‬ﻣﻮﻟﻔﻪ ﻫﺎﻱ‬
    ‫ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺍﺯ ﺍﺭﺗﺒﺎﻁ ﺩﻫﻨﺪﻩ ﻫﺎﻱ ﻣﻌﺮﻭﻑ ﺑﺮﺍﻱ ﺑﺮﻗﺮﺍﺭﻱ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﭘﺎﻳﮕﺎﻫﻬﺎﻱ ‪ ،‬ﺳﺎﺧﺘﻦ ‪ query‬ﻫﺎ ‪ ،‬ﺑﻪ‬
    ‫ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﺭﻛﻮﺭﺩﻫﺎ ﻭ ‪ ...‬ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﻛﻨﺪ‪ .‬ﻳﻜﻲ ﺍﺯ ﻋﻤﻮﻣﻲ ﺗﺮﻳﻦ ﺭﺍﺑﻄﻬﺎﻳﻲ ﻛﻪ ﺍﻣﺮﻭﺯﻩ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ‬
    ‫‪ Open Database Connectivity‬ﻭ ﻳﺎ ‪ ODBS‬ﻣﻲ ﺑﺎﺷﺪ‪.‬‬
    ‫ﺩﺭ ﺯﻳﺮ ﺷﻤﺎﻱ ﻛﻠﻲ ﻳﻚ ﺩﺭﺧﻮﺍﺳﺖ ﻭ ﭘﺎﺳﺦ ﻭ ﻣﻌﻤﺎﺭﻱ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﻣﻲ ﻛﻨﻴﺪ‪.‬‬

    ‫‪5‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

    Web
    App
    Database
    WEB Web
    Web Internet Conector
    Server App
    client Database
    Web
    App

    Search for:
    Search.php Fname.db
    Search.html

    Result.html

    Presentaion Layer Logic Layer Data Layer

    ‫ﺷﺮﻛﺖ ﻫﺎ‬ ‫ﺗﻜﻨﻮﻟﻮﮊﻳﻬﺎ‬


    Microsoft Actice Server Page (ASP)
    ASP .NET
    ASAPI
    Common Object Model (COM)
    JavaScript

    Sun Microsystem Java 2 Enterprise Edition (J2EE), including


    IBM Websphere Java Servlets
    BEA Weblogic Java Server Pages (JSP)
    CORBA

    Apache Software Foundation PHP (Hypertext Perprocessor)


    Jakarta (server – side Java)

    (none) HTML
    CGI (including Perl)

    6 www.WebSecurityMgz.com

    You might also like