[AWS] AWS server and cookies

[David Marceau]

Much of the following is a tangent from the usual AWS discussion so be
warned you might want to ignore this.




> Micha³ Morawski wrote:
> 
> The AWS exam server does NOT serve simple questions.
> Most of them are created dynamicaly
Not a problem IMHO.  Something dynamic on the client can be implemented
into something static on the server side.
> and randomly selected from rather large set, 
Not a problem. 
> so probability of the same set for neighbour student is close to zero.

> Third The submit cannot be redirected directly to Apache because the
> result of exam must be evaluated, 
I would understand "evaluated" is defined as some state as described as
some teacher acknowledging he/she reviewed 
a specific exam for a specific student on a specific date.
> where most of questions are
> generated on demand of particular student. Therefore AFTER evaluation,
> the results are passed to Apache (but not questions, bad and good
> answers etc.)
IMHO I think it isn't necessary to move the data to apache only after
evaluation.  You could do your "evaluation" capability on the apache
side.
Both "evaluating" and "evaluated" states are just that: states of the
data set.
Your architecture implies some redundant data going on between the
apache and the aws. It's ok if that's acceptable for you.
Obviously you've thought about backups of your data set and who gets
access to the data set.

> 
> The exam server rather cannot be implemented as an applet because
> applet is to easy to reverse egineering.
There are people who sell applet code obfuscators which in effect help
to reduce the probability of successful reverse-engineering in order to
open up your alternatives i.e. www.cloakware.com
The majority of PKI/e-commerce sites are fat-clients using java
applets.  Why?  It is because the java applets call services that are
installed natively on your machine that do the encryption/decryption for
the secure transactions going on.  In fact they are among the only
native services usually permitted by the java applets to be called
outside of the jvm (usually.  I know there are exceptions).
That said yes you may do PKI/e-commerce completely without java hence
you're desire to learn aws.

> BTW. I have another problem with cookie.
> 
> Please imagine, yuo uses some server and you set some settings. Then,
> next day you want to continue to collaborate with the server, but your
> settings are lost.
Ok you have some settings saved on your server as part of the
user/student data exam session.
The probability of losing your session settings are as high as losing
your exam session data.
If you lost your server exam settings you probably lost your exam
session.

> I have an idea, to set a cookie on the client where settings are
> stored, so settings is kept even if server is restarted, and - more
Placing all your server session settings in your client web browser
cookies....It is a possibility that you can do this however I don't see
how it would add value if your server exam session data is lost.  It is
true that fat client architecture is where you are heading once you save
lots of data on the web browser client.  From what I understand though
you don't want to go with really fat clients because you are worried
about reverse engineering and security via the applets.  Well you will
have a security issue if someone else manipulates your cookies in your
web browser.  You want either a thin client or fat client.
Sure you can go with a mix.

> important - to limit memory an time consumption by the server (The
> server works as a simple SCADA, so it consumes many of computer
> resources), where many users observe different signals.
> 
> Do you think, my idea is correct?
If you can't get your cookie design to work then it's hinting maybe that
it should be done another way.
More and more I think cookies are not what you need.  Just let
everything on the web servers.  At least in this manner it is consistent
with your thin client design.  Apart from that I have no major
contradictions to anything you just mentioned.
I am not a big fan of fat java clients but I must admit I love
flash-based gui's since they are beautiful, they do work and they
certainly would motivate the students more via some entertainment while
taking the exam somehow(i.e. stupid joke/animation/sound).  If you want
an example see www.joecartoon.com built with flash.  If you like flash
you might want to consider using ming sdk with your php code on apache. 
There is no reason why taking an exam can't be fun.  Have you placed
into your design student authentification using PKI?  If your client is
fat for any reason, it will be because you want a secure connection i.e.
SSL/PKI/...  Yes all this may still intertwine with what aws should do
also and there is nothing stopping you from having aws serve up
everything instead of apache.

I hope this helps.  Cheers :)