HTTP, HTTPS

HTTP is a stateless protocol that can effectively reduce the overhead of maintaining a connection by briefly keeping the browser-core communication between servers. Stateless means that the connection is freed after the browser and the server have completed one communication. At the next session initiation, the browser core server does not log what happened to the last communication. the stateless protocol caused the website to not save the user's state, so the introduction of cookie technology. The HTTP server sends the cookie to the browser side, and the browser returns a copy of the cookie to the server each time it connects. Cookies are transmitted between the browser and the server via the HTTP protocol header. No more than 300 cookie files are stored on the browser side, and no more than 20 servers, each with a maximum of 4kb. When a URL request is sent, the browser opens a thread to process the request and initiates a DNS query on the remote DNS server. This enables the browser to make a URL request that corresponds to the IP address. The browser then establishes a TCP/IP connection through the TCP three handshake negotiation with the remote Web server. The handshake process consists of a synchronous message, a synchronous response message, and a response message, which is passed between the browser and the remote server for three messages. Once a TCP/IP connection is established, the browser sends a GET request for HTTP to the remote server through the connection. The remote server locates the resource and uses the HTTP response to return the resource, and the HTTP response status of 200 indicates a correct response. HTTP requests most of the time is spent on establishing a connection and waiting time, the optimization method is to reduce the HTTP request. 1, the picture reduction usually has two kinds of ways: CSS sprites, inline picture, Iconfont. CSS Sprites: Combine multiple images into a single picture inline: by using the Data:url mode, you can then include the picture in the page without any additional requests. The downside is that IE8 browsers do not support this approach, and IE8 has limited data size and can only support data within 23KB. For smaller images you can inline the Web page directly, but for large images inline to the page will cause the page to become larger, it is wise to use CSS, use the inline image as the background, and put in the external style sheet, which means that the data can be slow to exist inside the stylesheet. Using an external style sheet adds an HTTP request, but the style can be cached by the browser for extra gain. Another point to note: Base64 is lossy compression. Iconfont: Icon Font, this is a new popular in recent years to replace the image of a font technology. It can adapt to any resolution without the picture blur problem, compared with the picture it has a smaller capacity, more flexibility (like font can set icon size, color, transparency, hover status, inversion, etc.), IE8 above the browser support the technology 2, The main principle of reducing the request for scripts and stylesheets is merging. 3, about the main direction of the internal optimization of the page: The style sheet is placed at the top, the script file at the bottom, avoid the CSS expression, put the script's style sheet outside, remove duplicate script 4, enable cache: Server cache, request \ = Server [=> table]=> cache Data flow and user 5, Optimize network connectivity: Use CDN acceleration, reduce DNS lookups, avoid redirects

One, the HTTP request generally consists of four parts:

1.HTTP the method or action of the request, such as a Get or POST request;

2. The URL being requested (the requested address);

3. Request header, including some client environment information, authentication information, etc.

4. Request body (Request text), can contain customer submitted query string information, form information and so on.

Get: Generally used for information retrieval (often used for queries), passing parameters using URLs (variables are displayed in URLs, everyone is visible), and the number of messages sent is limited (typically 2000 characters).

POST: Typically used to modify resources on the server, no limit on the amount of information sent. (not shown in the URL, not visible to others, information in the request body) (often used to send form data, new, modified, etc.).

second, the HTTP response is generally composed of three parts:

1. A status code consisting of a number and text to indicate whether the request was successful or failed;
2. The response header, as well as the request header contains a lot of useful information, such as server type, date time, content type and length, etc.;
3. Response body (response body)

Iii. session and Cookies

Session definition

Generally translated as ' session ', the specific to the Web session refers to the user when browsing a site, from the site to the browser to close the time elapsed, that is, users spend time to browse the site. So from the definition above we can see that the session is actually a specific time concept.

How the session Works

The session mechanism is a server-side mechanism where the server uses a hash-like structure to hold information.
When the client requests the creation of a session, the server first checks whether the client request contains a session ID, and if it already contains a session ID, it indicates that the session was previously created for this client. The server retrieves this session using the session ID.

If the client request does not contain a session ID, a session is created for the server and a session ID associated with the session is generated. The value of Session ID is a string that is neither duplicated nor easy to be found, and the session ID will be returned to the client in this response to save. This session ID can be saved in a cookie-based manner. Generally the name of this cookie is similar to Seeesionid.

For example: jsessionid=byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng!-145788764, its name is Jsessionid.

Since cookies can be artificially banned, there must be other mechanisms that can still pass the session ID back to the server when the cookie is banned. A technique that is often used is called URL rewriting. is to attach the session ID directly behind the URL path, there are two additional ways:

1. One is additional information as a URL path, expressed in the form of Http://...../xxx;jsessionid=ByOK ... 99zwpbng!-145788764

2. Another is appended to the URL as a query string, in the form of Http://...../xxx?jsessionid=ByOK ... 99zwpbng!-145788764

These two ways for the user is no difference, but the server in the resolution of the way the process is different, the first way is also conducive to the session ID information and normal program parameters separated. In order to maintain state throughout the interaction, the session ID must be included after each client may request a path.

Another technique is called a form-hidden field. Is that the server automatically modifies the form, adding a hidden field so that the session ID can be passed back to the server when the form is submitted. This technology is now less applied.

There is a misconception that "as soon as you close the browser, the session disappears." In fact, you can imagine the membership card example, unless the customer actively to the store to sell cards, otherwise the store will not easily delete customer information. For the session is the same, unless the program notifies the server to delete a session, or the server will remain, the program is generally in the user to log off when sending an instruction to delete the session. However, the browser will never proactively notify the server before shutting it down, so the server will never have the chance to know that the browser is closed. The illusion is that most session mechanisms use session cookies to save sessions ID, and the session ID disappears after closing the browser, and the original session cannot be found when connecting to the server again. If the cookie set by the server is saved to the hard disk, or if a device is used to overwrite the HTTP request header sent by the browser, and the original session ID is sent to the server, the original session can still be found by opening the browser again.

It is precisely because closing the browser does not cause the session to be deleted, forcing the server to set an expiration time for seesion, when the client last time to use the session more than the expiration time, the server can assume that the client has stopped the activity, The session is deleted to save storage space.

Cookies

Cookie definition

"Cookie" is a small amount of information. Sent by the server to be stored on the browser so that the next time the visitor returns to the Web server, this information can be read back from the browser.

How Cookies work

In general, cookies are returned from the server side to the browser via HTTP headers. The combination of the path and the domain constitutes the scope of the cookie. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows.

First, the server uses the Set-cookie header in the response to create a cookie, and then the browser, in its request, contains the cookie that has been created and returns it to the server to complete the browser's argument.

Expires: The time period for which the cookie is saved. Of course, if there are too many cookies on the browser, the browser will automatically delete it if it exceeds the allowed range of the system.

Path: Used to specify which directory path the cookie will be sent to the server.

Note: After a cookie has been created by the browser, the cookie is carried in the header for each request for the site, but the request cookie for other sites is never followed. and the browser will continue to send this until the cookie expires.

recognition feature, If multiple browsers are installed on a single computer, each browser will store cookies in its own separate space. Because the cookie not only can confirm the user, but also can contain the information of the computer and the browser, so a user log in with a different browser or a different computer, will get different cookie information, on the other hand, for the same computer with the same browser on the multi-user group, Cookies do not differentiate their identities unless they are logged in with a different user name.

The difference between a session and a cookie

1, the session is saved in the server, the client does not know the information; the cookie is stored on the client and the server is able to know the information.

2. The object is saved in the session, and a string is saved in the cookie.

3, the session can not distinguish between the path, the same user during a visit to a website, all sessions in any place can be accessed. In the cookie, if the path parameter is set, the cookies under different paths in the same Web site are inaccessible to each other.

4, the session by default requires the use of cookies to work properly. If the client completely disables Cookie,session, this method will fail. But you can rewrite the URL.

5 session will be closed after the end of user sessions, but cookies can be saved for a long time because they are stored on the client.

6 Cookie: A small fragment of information that is written to the client by the server. Cookie information is stored in the server cache and will not appear on the client. When you first log on to a website, the server writes fragments of information to your machine. You can find the folder where cookies are stored in Internet options. If you do not delete it, the cookie is always in this folder.

Four, HTTPS

HTTPS plays a key role in protecting user privacy and preventing traffic hijacking, but at the same time, HTTPS also reduces user access and increases the computing resource consumption of the Web server.

The Hypertext Transfer Protocol HTTP protocol is used to pass information between a Web browser and a Web server, the HTTP protocol sends content in plaintext, does not provide data encryption in any way, and if an attacker intercepts a transmission message between a Web browser and a Web server, it can read the information directly, so HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information. In order to solve this flaw of the HTTP protocol, we need to use another protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS, for the security of data transmission, HTTPS added the SSL (secure Sockets Layer) protocol on the basis of HTTP, SSL relies on certificates to verify the identity of the server and to encrypt communication between the browser and the server.

How HTTPS avoids man-in-the-middle hijacking

If someone hijacked your DNS server, resolves wwe.icbc.com to his illegal website, or the proxy server directs you to his illegal website, this is a man-in-the-middle attack. If there is no HTTPS, then the attack happens. HTTPS avoids this type of attack by using certificate authentication

1, in the application of the certificate when the CA will be the domain name to be applied for control certification, so you can not use the next door to the old king's website to apply for a certificate. Even if you hacked his site, as long as the old Wang to apply for a certificate can be found.

2, if the forgery of a certificate, this certificate is not issued by the authoritative CA, then the browser when the inspection will alert users that the certificate is illegal. Of course the user can still continue to operate, such as Rob train tickets or something.

3, if you put the real site certificate down, the domain name on the certificate is not changed, just replace the public key, then the browser than the digital signature of the certificate can be found on the apart, the alarm.

4, if the middleman directly with www.icbc.com Real certificate, then he can receive the client's message, but cannot decrypt, so also can not respond to the client's request, the attack is invalid!

HTTP, HTTPS