A web application (also online application , web application or web app for short ) is an application program based on the client-server model . Unlike classic desktop applications , web applications are not installed locally on the user's computer. The data processing takes place partly on a remote web server . The results of the data processing are transferred to the user's local client computer ( thin client ). A web application is mostly used via a web browser . This usually transmits data with the web server using the HTTP protocol .
Parts of the execution logic should, however, not be executed in the server first, but rather in the client computer, especially for validation . Input errors are recognized locally in this way. Feedback to the user is given immediately without waiting for a reply from a remote server. Using AJAX technology only partial areas of content on the Web client updates without the website again having to call. Such a distribution can be expanded up to a fat client architecture (see single-page web applications ).
You start a web application by z. B. enters the URL of the web server in the browser and sends a request ( HTTP request ). The web server receives the request and forwards it to the web application. This generates or loads the HTML source code of a website, which is sent back from the web server to the user's browser (HTTP response). This website is the graphical user interface of the web application. If you consider the layer architecture of a web application, the presentation layer is executed in the web browser (thin client). Parts of the logic layer and data storage are carried out on the server.
By clicking a hyperlink on this website or filling out and submitting a form, you start a new request to the web server. Typically, additional information, such as B. the entries made in the form (HTTP POST), the parameters of the link (HTTP GET) and the data of an HTTP cookie are transmitted to the web server and processed as input by the web application. Via interfaces such as B. the Common Gateway Interface or FastCGI , the web application is integrated within the web server. In this way, requests are forwarded to the web application and the output of the web application is sent back in response. The processing of such an HTTP request by the web application is also called the request cycle .
When using web apps, session data (e.g. order data from a web shop) is stored on the server in databases or files. User-related data can also be stored on the client side using HTTP cookies. Server-side session information consumes server resources for each active user session. Server-side session information also makes horizontal scaling of the web applications difficult. Alternative architectural approaches for web applications such as single-page web applications or the REST paradigm therefore combine server-side with client-side execution.
While a web application once only generated the HTML source code of the website, images, animations, videos, audio files and PDF documents have also been generated since then.
How mobile web apps work
A web application usually runs on the web server, but can also be outsourced to one or more application servers, which are served by one or more web servers with user requests. A distinction can be made between two architectures:
- The web application is an independent binary program or a script interpreted by an independent binary program, which is restarted for each request. Such applications are usually called CGI programs.
- The web application is part of the web server or a script interpreted by the web server. A program no longer has to be started for each request cycle. Examples: PHP , Perl , Python , Ruby (each interpreted by appropriate modules of the web server), Java Servlet , JavaServer Pages or ASP.NET .
A web application is traditionally more and more executed on the server side. There are also approaches as distribution variants which provide for a more client-heavy execution of a web application. The web client is becoming an increasingly independent unit in order to relieve server-side resources. These approaches are particularly useful for B2C applications - such as B. Facebook or Gmail - relevant, since such projects can be expected to attract large numbers of users. The user experience can also be improved, since a client-server communication does not have to be triggered for every interaction with the web client, which slows down the reaction times of web applications.
- Rich Internet Application
- Single-page web applications
- Web service
Web applications only require a web browser on the user's computer, which is usually already available. In contrast to conventional client-server applications, no further software installation is necessary, apart from browser plug-ins such as Flash. As a result, web applications achieve a high degree of platform independence , provided that many browsers are supported.
If the logic of a web application has to be changed, changes are only necessary in one central place - on the web server - which has a favorable effect on maintenance costs. This also results in security advantages: security gaps can be rectified immediately, and even if the web application is completely compromised, no other programs on the user system are generally endangered.
A connection to the web server is required to use a web application. The data rate of the connection must also be designed for the requirements of the web application. This fact excludes web applications for a number of usage scenarios, such as B. the mobile offline use, by definition. Web applications identify registered users by session ID. This can lead to security problems (see below).
For a web application it is necessary to receive user input. The HTML forms used today for this purpose are included for the first time in the draft for "HTML +" of November 8, 1993. But even the first HTML version by Tim Berners-Lee offered a way to send parameters to the web server with the “Isindex” tag. The parameters were appended to the URL, the forerunner of the HTTP Get method. The first major system that made use of this was very likely a web interface to the "SPIRES-HEP", a database at Stanford University . This ancestor of all today's web applications went online in 1991.
The first web browser to implement extensive support for HTML forms was the NCSA Mosaic 2.0 in December 1993; at that time the browser with the greatest popularity. The first server-side interface for receiving form data was "htbin". This was published on November 4, 1993 as part of version 2.13 of the W3C HTTP server. The CGI interface followed on February 11, 1994 in Release 2.15 beta, which is still in use today. CGI is independent of the programming language used. C or Perl was used for the first web applications . Perl offered itself because of the powerful functions for processing character strings.
The first web application to be noticed by the general public also originated at Stanford University. Two students developed the Yahoo web directory from their personal bookmark management . They used Perl as their programming language.
In the following years there were further developments of the CGI interface, which improved the performance. In the spring of 1997, Sun Microsystems published the servlet technology. Servlets are Java programs that are very similar to CGI programs. The main difference is that an HTTP request is not processed in a separate process, but only in a separate thread. This brought a huge gain in performance.
The process of assembling websites from HTML code that was permanently stored in the program code, however, posed a major problem: It was cumbersome to program and did not allow a separation of logic and content. This problem has been resolved in similar ways by several quarters. The program code for the dynamically generated output was embedded in the otherwise static HTML. This approach is followed by the PHP language , which emerged from a Perl-based project around 1997, JavaServer Pages , which are based on servlets, and Active Server Pages (ASP) from Microsoft.
At the time of the great Internet boom around the turn of the millennium, web applications experienced a huge boost. Many of the New Economy companies that have been celebrated by the stock exchange built their business model on a web application. The exaggerated expectations led to the bursting of the so-called dot-com bubble in 2001 . During this time, however, web applications such as B. eBay , Yahoo and Google were born, which have now become a natural part of web life.
Frameworks and tools
There are different frameworks for creating web apps:
- Web frameworks for data storage, data processing and presentation (such as ASP.NET MVC , Spring or Symfony )
- CSS frameworks for graphical user interfaces especially for responsive web design (such as Bootstrap )
The competencies of classic web designers and mobile web app developers differ significantly in the point that the focus in the mobile Internet is on the context and not (only) on the content. The user interface in particular is an important factor in the development of mobile web apps.
Web application security is too broad a field to cover here. Therefore, this section is limited to the description of well-known attack possibilities in connection with web applications. Attacks against a web application can be prevented by avoiding security gaps during the implementation, or made more difficult or defended by the use of upstream web application firewalls .
- SQL Injection - Providing query parameters with SQL control characters
- Cross-Site-Scripting (XSS) - integration of third-party scripts to manipulate the website
- Session hijacking - taking over a user session
- Cross-Site Request Forgery - Redirect web client to other URLs
- Directory traversal - manipulation of path information in order to access any server-side resource
- E-Mail Injection - Sending your own e-mails using contact forms
The following attacks are not directed against the web application itself, but can often be found in its environment:
- Man-in-the-middle attack - eavesdropping on client-server communication
- Denial of Service - overloading of the web server so that no more requests can be received
- Phishing - stealing customer data via fake emails or websites
Some examples can be found in the category: web application .
- Catalog of measures and best practices for the security of web applications from the Federal Office for Information Security (BSI)
- Web Security Threat Classification