RE: web application vs. web site was Re: Securing CF Apps.
BTW, saying that a user being able to bookmark something is valid for a web "site" but not for an application is not true either. There are plenty of applications, whether desktop or HTTP based, that can benefit from bookmarking. Quick made up example: say I have a human resources application. The HR director is currently involved with unemployment negotiations with one employee, and hiring negotiations for two others. The HR director needs quick access to all their employee data on a daily basis. Scenario A: He starts at the application's splash screen, selects "Employees" from a menu, types somebody's first and last name into a search box, then clicks to choose between "Smith, Joe D." and "Smith, Joe G.". He has to do this every time he needs to bring the employment record up again. Scenario B: HR director does that once, then bookmarks the employee file. Afterwards, it's easy to get back to it, and when the negotiations involving that employee are finished, he deletes the bookmark. The benefit of the bookmark is the same regardless of whether the *application* is a client-side executable or a site served up remotely via HTTP and HTML. Conan [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: web application vs. web site was Re: Securing CF Apps.
Whether or not something is called a "site" or an "application" has no bearing on security, so I still don't see the relevance of that argument. - Original Message - From: Conan Saunders <[EMAIL PROTECTED]> Date: Tuesday, March 23, 2004 3:17 pm Subject: web application vs. web site was Re: Securing CF Apps. > There are two separate issues here, let's not mix them: > > 1) What is a web "application" vs. what is a web "site" > 2) Once you've settled on your definitions for the above two, you > can have > your security discussion without arguments in which both people > are "right" > because they are talking about two different things. > > The first topic is just semantics, as Kwang said, and it's clear > not > everybody is using the same definitions. If you want to talk about > the > first, why don't you break that discussion out into this > separately titled > thread? > > Here are my thoughts about web "applications" vs web "sites": > > 1) "Web site" refers to all sites, whether public or private > (intranet), in > which a user can use a normal browser to resolve a DNS name and > load some > HTML pages, is a web site. Some web sites are static, some are > dynamic. > Some include powerful search engines, transactional e-commerce, > and other > stuff. These are all web sites. > > 2) To me, a "web application" is a subset of "web site" that has > interactive, dynamic functionality, even for anonymous users. If > the user > can do more than just request static pages, then the site is a web > application. Requests and responses for a web application take > place across > the web or an intranet, and they take place within a normal > browser. All > the normal browser interface pieces are available (single-click a > link to > navigate, ability to bookmark, ability to type in a URL, hit the > back > button, right click and open a page in a new window, etc.) > > 3) I would then define a third category that covers what Tim was > talking > about: private, closed systems that attempt to mimic regular > desktop > software applications as closely as possible but just so happen to > operate > over HTTP and output to HTML. The developer may try to lock down > the user > experience as much as possible, utilizing fixed entry points and > fixed > navigation UI and attempting to shut down or hide normal browser > functionality like URL entry, "back" and "refresh" buttons, etc. > > The disagreement seems to be that some people define "web > application" as > #2, while others define it as #3. I think calling only #3 a "web > application" and not #2 is a mistake. Amazon, google, imdb, any > run-of-the-mill e-commerce site... to me, these are all > applications, and > URLs are just part of the application interface. With web > services, and as > tag-based software development creeps out of the browser and into > the OS > itself, the line is only going to get blurrier. I think you'll be > better > off in the long run if you don't limit your definition of "web > application" > to #3. > > Conan > > > At 03:37 PM 3/23/2004, you wrote: > >Like you said Tim, some people have a hard time distinguishing > between an > >application and a site. > > > >-adam > > > > > -Original Message- > > > From: Kwang Suh [EMAIL PROTECTED] > > > Sent: Tuesday, March 23, 2004 09:16 PM > > > To: 'CF-Talk' > > > Subject: RE: Securing CF Apps. > > > > > > > There are different controls that you would use for different > > > > purposes.Obviously an ecommerce SITE (which is what Amazon is) > > > > needs users to be able > > > > to return to a specific product. > > > > > > Pure semantics. I'm sure those guys at Amazon would beg to > differ with > > you. > > > > > > > Web services security is very different from either public > site or > > > > application security. You're comparing apples and oranges. > > > > > > Hardly. Web services are an internet-based resource that may > or may > > not be protected. > > > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: web application vs. web site was Re: Securing CF Apps.
What if you take a standalone desktop application and completely port its functionality to something like Cold Fusion or .NET, the only difference being that it can be accessed from anywhere in the world by firing up a browser and typing a URL, rather than clicking an .EXE on the local machine. Like if hotmail offered exactly the same functionality as Outlook, just within the I/O offered by a browser. You still wouldn't call that an application? That's why I think your much narrower definition of "web application" isn't as useful as the broader definition that would include Amazon, e-commerce sites, and pretty much any other dynamic site that responds to user input with more than just static pages. Conan At 04:38 PM 3/23/2004, you wrote: >I think something used to either sell products on the web, or provide >information on the web is a site. Now the site might be controlled by a >back end content management system, or some sort of inventory application, >but the rest of it is a web site. > >-- >Timothy Heald >Web Portfolio Manager >Overseas Security Advisory Council >U.S. Department of State >571.345.2319 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
web application vs. web site was Re: Securing CF Apps.
There are two separate issues here, let's not mix them: 1) What is a web "application" vs. what is a web "site" 2) Once you've settled on your definitions for the above two, you can have your security discussion without arguments in which both people are "right" because they are talking about two different things. The first topic is just semantics, as Kwang said, and it's clear not everybody is using the same definitions. If you want to talk about the first, why don't you break that discussion out into this separately titled thread? Here are my thoughts about web "applications" vs web "sites": 1) "Web site" refers to all sites, whether public or private (intranet), in which a user can use a normal browser to resolve a DNS name and load some HTML pages, is a web site. Some web sites are static, some are dynamic. Some include powerful search engines, transactional e-commerce, and other stuff. These are all web sites. 2) To me, a "web application" is a subset of "web site" that has interactive, dynamic functionality, even for anonymous users. If the user can do more than just request static pages, then the site is a web application. Requests and responses for a web application take place across the web or an intranet, and they take place within a normal browser. All the normal browser interface pieces are available (single-click a link to navigate, ability to bookmark, ability to type in a URL, hit the back button, right click and open a page in a new window, etc.) 3) I would then define a third category that covers what Tim was talking about: private, closed systems that attempt to mimic regular desktop software applications as closely as possible but just so happen to operate over HTTP and output to HTML. The developer may try to lock down the user experience as much as possible, utilizing fixed entry points and fixed navigation UI and attempting to shut down or hide normal browser functionality like URL entry, "back" and "refresh" buttons, etc. The disagreement seems to be that some people define "web application" as #2, while others define it as #3. I think calling only #3 a "web application" and not #2 is a mistake. Amazon, google, imdb, any run-of-the-mill e-commerce site... to me, these are all applications, and URLs are just part of the application interface. With web services, and as tag-based software development creeps out of the browser and into the OS itself, the line is only going to get blurrier. I think you'll be better off in the long run if you don't limit your definition of "web application" to #3. Conan At 03:37 PM 3/23/2004, you wrote: >Like you said Tim, some people have a hard time distinguishing between an >application and a site. > >-adam > > > -Original Message- > > From: Kwang Suh [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, March 23, 2004 09:16 PM > > To: 'CF-Talk' > > Subject: RE: Securing CF Apps. > > > > > There are different controls that you would use for different > > > purposes.Obviously an ecommerce SITE (which is what Amazon is) > > > needs users to be able > > > to return to a specific product. > > > > Pure semantics. I'm sure those guys at Amazon would beg to differ with > you. > > > > > Web services security is very different from either public site or > > > application security. You're comparing apples and oranges. > > > > Hardly. Web services are an internet-based resource that may or may > not be protected. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]