Application Server What’s New in Version 10 Deployment Alpha Five v10 is designed to let people RAPIDLY build interactive AJAX web applications against SQL databases that rival desktop applications in speed, smoothness and richness See InfoWorld Article August 24, 2009 http://www.infoworld.com/d/developer-world/alpha-five-v10-does-codeless-ajax-625

Topics What’s New in Version 10 Deployment

What’s New in Version 10

Deployment

What’s New in Version 10 Performance Security Functionality/Configuration

Performance

Security

Functionality/Configuration

What’s New in Version 10 Performance A Peek at What the Server Spends Time Doing

A Peek at What the Server Spends Time Doing

What’s New in Version 10 Performance What is the Server Overhead? Read and Parse incoming request Determine action required to fulfill request Retrieve/Instantiate session Set up A5W execution environment Prepare and send response back to client

What is the Server Overhead?

Read and Parse incoming request

Determine action required to fulfill request

Retrieve/Instantiate session

Set up A5W execution environment

Prepare and send response back to client

What’s New in Version 10 Performance Request Parsing More efficient socket reading Totally new parser Orders of magnitude faster Tightens up potential attack vectors Paves way for future functionality

Request Parsing

More efficient socket reading

Totally new parser

Orders of magnitude faster

Tightens up potential attack vectors

Paves way for future functionality

What’s New in Version 10 Performance Set up A5W execution environment Cache the Application Root Cache a5_application.a5i

Set up A5W execution environment

Cache the Application Root

Cache a5_application.a5i

What’s New in Version 10 Performance Prepare and Send Response Cache gzipped output for static resources Optimized output sending

Prepare and Send Response

Cache gzipped output for static resources

Optimized output sending

What’s New in Version 10 Performance The Results? Vary with type of request, hardware, etc. On average, server overhead is about ½ of what it is in V9 Large gzipped static resources have the most significant improvement

The Results?

Vary with type of request, hardware, etc.

On average, server overhead is about ½ of what it is in V9

Large gzipped static resources have the most significant improvement

What’s New in Version 10 Performance Security Functionality/Configuration

Performance

Security

Functionality/Configuration

What’s New in Version 10 Security Security is implemented at many levels. Most significant in core server are: Connection handling Request parsing Session management

Security is implemented at many levels. Most significant in core server are:

Connection handling

Request parsing

Session management

What’s New in Version 10 Security Connection Handling Intentionally malformed socket communications have potential to crash server Largely the operating system’s responsibility Application Server adds additional protection

Connection Handling

Intentionally malformed socket communications have potential to crash server

Largely the operating system’s responsibility

Application Server adds additional protection

What’s New in Version 10 Security Request parsing is dangerous business Depends on input from an untrusted source Uses untrusted input to create variables, take actions, etc. Most common area of exploit across web servers The new request parser has further protection against attacks via request parsing.

Request parsing is dangerous business

Depends on input from an untrusted source

Uses untrusted input to create variables, take actions, etc.

Most common area of exploit across web servers

The new request parser has further protection against attacks via request parsing.

What’s New in Version 10 Security Session Management Cookie lifetime matches session lifetime Cookie is an Http-Only cookie If using SSL, cookie is a “Secure” cookie Server prevents recycling of session IDs

Session Management

Cookie lifetime matches session lifetime

Cookie is an Http-Only cookie

If using SSL, cookie is a “Secure” cookie

Server prevents recycling of session IDs

What’s New in Version 10 Performance Security Functionality/Configuration

Performance

Security

Functionality/Configuration

What’s New in Version 10 Functionality Logging Options Thread transition logging Xbasic error stack logging

Logging Options

Thread transition logging

Xbasic error stack logging

What’s New in Version 10 Functionality Session.BrowserId Similar to V9 session Id Does not change across sessions Can be used to uniquely identify browser across sessions

Session.BrowserId

Similar to V9 session Id

Does not change across sessions

Can be used to uniquely identify browser across sessions

What’s New in Version 10 Functionality New Response Methods AddCookie() supports Http-Only and Secure cookies AddHeader() supports additional header syntax Expire() directs client on how long to cache the resource NoCache() directs client to not cache resource Redirect() supports Permanent (301) redirects SendFile() easily send a file back to clients

New Response Methods

AddCookie() supports Http-Only and Secure cookies

AddHeader() supports additional header syntax

Expire() directs client on how long to cache the resource

NoCache() directs client to not cache resource

Redirect() supports Permanent (301) redirects

SendFile() easily send a file back to clients

What’s New in Version 10 Functionality Error Pages Custom error pages can now execute A5W code Write your own error handlers that email administrator, attempt to fix mistyped URL, or take just about any other action you can code in Xbasic

Error Pages

Custom error pages can now execute A5W code

Write your own error handlers that email administrator, attempt to fix mistyped URL, or take just about any other action you can code in Xbasic

What’s New in Version 10 Functionality IP Address Binding Server can now run on just one of a machine’s addresses Allows for multiple servers on same system using same port to serve different applications

IP Address Binding

Server can now run on just one of a machine’s addresses

Allows for multiple servers on same system using same port to serve different applications

What’s New in Version 10 Functionality Enable/Disable Built-in Functionality Alpha favicon Alpha logo used in a5w_info() output .a5ajax processing .a5image processing Alpha JavaScript library Automatic sample pages deployment

Enable/Disable Built-in Functionality

Alpha favicon

Alpha logo used in a5w_info() output

.a5ajax processing

.a5image processing

Alpha JavaScript library

Automatic sample pages deployment

What’s New in Version 10 Functionality Configuration Options Timeout for header reading Timeout for full request reading Timeout for Keep-Alive connections Maximum Keep-Alive requests per connection Maximum URI length

Configuration Options

Timeout for header reading

Timeout for full request reading

Timeout for Keep-Alive connections

Maximum Keep-Alive requests per connection

Maximum URI length

What’s New in Version 10 Functionality Version 9 Compatibility Server Runs the old Version 9 server Removes all new Version 10 functionality Provided for debugging purposes only

Version 9 Compatibility Server

Runs the old Version 9 server

Removes all new Version 10 functionality

Provided for debugging purposes only

Topics What’s New in Version 10 Deployment

What’s New in Version 10

Deployment

Deployment Web application or browser-based application? Web browser is used for UI, but app does not need to be on the Internet Recommended approach for new development work

Web application or browser-based application?

Web browser is used for UI, but app does not need to be on the Internet

Recommended approach for new development work

Deployment The primary deployment issue is where to host your application. But other questions must be answered first. Who needs access to the application? Is this a hybrid app or browser-based only? Internal resources

The primary deployment issue is where to host your application. But other questions must be answered first.

Who needs access to the application?

Is this a hybrid app or browser-based only?

Internal resources

Deployment Who needs access to the application? Internal users on local network Internal users at remote location(s) External users at specific remote location(s) General public Internet

Who needs access to the application?

Internal users on local network

Internal users at remote location(s)

External users at specific remote location(s)

General public Internet

Deployment Browser-based only or hybrid app? A desktop app with DBF suggests hosting locally A desktop app with no DBF is more flexible Purely browser-based provides more options

Browser-based only or hybrid app?

A desktop app with DBF suggests hosting locally

A desktop app with no DBF is more flexible

Purely browser-based provides more options

Deployment Internal Resources Once installed, little ongoing maintenance is needed Greater availability tends to be difficult for smaller companies

Internal Resources

Once installed, little ongoing maintenance is needed

Greater availability tends to be difficult for smaller companies

Deployment Given these considerations, should you host it internally or use a hosting provider? Internal typically gives you greater control, makes broader access more difficult, and has a greater initial cost. Hosting providers can provision quickly, specialize in keeping your server running 24x7, can limit or open access as desired, may be slower for internal users.

Given these considerations, should you host it internally or use a hosting provider?

Internal typically gives you greater control, makes broader access more difficult, and has a greater initial cost.

Hosting providers can provision quickly, specialize in keeping your server running 24x7, can limit or open access as desired, may be slower for internal users.

Deployment Regardless of internal or outsourced hosting, consider the hardware configuration Memory is inexpensive and greatly improves performance Disk drives often create a bottleneck Many database tasks are CPU intensive For a detailed discussion, see Kurt’s articles on blog.alphasoftware.com

Regardless of internal or outsourced hosting, consider the hardware configuration

Memory is inexpensive and greatly improves performance

Disk drives often create a bottleneck

Many database tasks are CPU intensive

For a detailed discussion, see Kurt’s articles on blog.alphasoftware.com

Questions/Discussion

Questions/Discussion