HTTP basic Interaction ***************************
HTTP request Format:
The HTTP request consists of three parts: the request line, the request header, and the request body
Request Line: Request method URL Protocol/version
Example: Get/books/?sex=man&name=professional http/1.1
There are many request methods, for example: GET Post HEAD PUT DELETE and so on
The difference between get and post:
1, in the client, get way to submit data through the URL, the data can be seen in the URL, post, the data is placed in the body of the HTTP packet.
2, there is a limit to the size of the data submitted by the Get method (because the browser has a limit on the length of the URL), and post does not have this limitation.
3, security issues. As mentioned in (1), when you use GET, the parameters are displayed on the address bar, and Post does not. So
If the data is in Chinese and is non-sensitive data,
Use GET If the user enters data that is not Chinese characters and contains sensitive data, then use post as well.
4., the server value is not the same way. Get value, such as PHP can use $_get to get the value of the variable, and POST way through $_post
To get the value of a variable
5. Safe and idempotent. The so-called security means that the operation is used to obtain information rather than modify information. The power of the same URL means that multiple
A request should return the same result the get operation generally does not produce side effects. POST represents a request that might change resources on the server.
Still take the news site as an example, the reader's comments on the article should be implemented through the POST request, because the site is different after the comment submission
The head method is the same as the Get method, except that the message body is not returned by the server response. In the response to a head request, the HTTP header contains the Motonobu
Should be the same as the response message for a GET request.
This method can be used to get the meta information that is implied in the request without transmitting the entity itself. Also often used to test the validity and usability of hyperlinks
and recent changes.
The difference between put and post: both methods have the meaning of updating or creating resources
But what is the difference between put and post?
In HTTP, put is defined as a method of idempotent, and post is not, which is a very important difference.
Idempotent means that a method is repeated several times, the effect is the same, is the idempotent
If we send two http://superblogging/blogs/post/Sample requests, what kind of behavior is the server side? If you create a
Two blog posts, that means the service is not idempotent,
It's because of the side effects of multiple use; if the latter request overwrites the first request, the service is idempotent.
In the former case, the Post method should be used, and in the latter case, the put method should be used.
Request Header:
Each header field consists of a domain name, a colon (:), and a domain value of three parts.
The common request headers are as follows:
Transport Header field:
Connection:keep-alive indicates whether a persistent connection is required, the HTTP1.1 version also introduces a pipeline mechanism (pipelining)
That is, within the same TCP connection, the client can send multiple requests at the same time. This will further improve the efficiency of the HTTP protocol
The server can also transmit multiple responses, so a mechanism is needed to differentiate which response the datagram belongs to, which is content-length
The function of this field, such as the length of this response is 100 bytes, and the subsequent bytes belong to the next response.
Host Header field:
The host request header domain is used primarily to specify the Internet host and port number of the requested resource
Client header domain:
Accept: The type of media acceptable to the browser, such as Text,html,image, etc., if it is */*, the browser can accept all types
Accept-encoding: The browser affirms the encoding method that it receives, usually specifying the compression method
Accept-language: The browser declares its own accepted language
User-agent: Tell the HTTP Server the name and version of the operating system and browser that the client is using
Accept-charset: The browser declares its own accepted character set
Cookie/login header field:
Cookie: Sends the value of the cookie to the HTTP server
Entity header field:
Content-length: The length of data sent to the HTTP server.
Content-type: Represents the data type and the character set used for example: Text/html;charset=utf-8
Miscellaneous header Field
Referer: The server that provides the context information for the request, tells the server which link I took it from.
Cache header Field
If-modified-since:
When the last modification time of the browser-side cache page is sent to the server, the server compares this time with the last modification time of the actual file on the server.
If the time is the same, then return 304, the client uses the local cache file directly. If the time is inconsistent, 200 and the new file contents are returned.
After the client receives it, it discards the old file, caches the new file, and displays it in the browser.
Cache-control: The rules that specify the caching mechanism have the following options: public (which can be cached by any cache), private (content is cached only in the private cache),
No-cache (all content will not be cached)
HTTP response Format:
The HTTP response is also made up of three parts: the status line, the message header, and the response body
1. Status line: The status line consists of the Protocol version, the status code in the number form, and the corresponding state description
$ OK//client request succeeded
404 Not Found//request resource not present, eg: Wrong URL entered
2. Message header:
Cache header Field
Date: Effect: The time and date at which the message was generated, that is, the current GMT time.
Expires: Role: The browser uses the local cache for the specified expiration time, indicating when the document should be considered expired and thus no longer caches it.
Vary: for example: vary:accept-encoding
Cookie/login header Field
P3P: Role: Used to set cookies across domains, which resolves an iframe cross-domain access cookie problem
Set-cookie
Role: A very important header, used to send cookies to the client browser, each write cookie generates a Set-cookie.
For example: SET-COOKIE:PHPSESSID=C0HUQ7PDKMM5GG6OSOE3MGJMM3; path=/
Entity Body Header field:
Attributes of entity content, including entity information type, length, compression method, last modification time, data validity, and so on.
ETag:
Function: Used in conjunction with If-none-match. (See examples of If-none-match in the section)
Last-modified
Role: Used to indicate the last modification date and time of the resource. (See examples of if-modified-since in the section)
Content-type:
Role: The Web server tells the browser the type and character set of the object it responds to.
Content-length:
Indicates the length of the entity body, expressed as a decimal number stored in bytes. In the process of data downlink, the way to Content-length is to pre-
All data is cached in the server first, and then all data is peremptorily to the client.
Content-encoding:
Role: The Encoding (Encode) method of the document. Compression is generally the way.
Content-language:
Role: The Web server tells the browser to respond to the language of the object
Miscellaneous header Field
Server: function: Indicates the software information of the HTTP server for example: apache/2.2.8 (WIN32) php/5.2.5
X-powered-by: The role of the website is to use what technology developed. Example: x-powered-by:php/5.2.5
Transport header Field
Connection such as connection:keep-alive when a Web page is opened, the client and server are used to transfer HTTP data between the
The TCP connection does not close, and if the client accesses the Web page on the server again, it will continue to use this established connection
Location: function: Used to redirect a new position, including a new URL address
3. Response Body:
The response body is the contents of the resource returned by the server and must be separated by a blank line between the response header and the body
HTTPS content ***********************
Session and Cookie
Symmetric key: The two parties that send and receive data must encrypt and decrypt the plaintext using the same key
SSL TLS:
SSL (secure Sockets layer), and its successor Transport Layer Security (Transport layer Security,tls)
is a security protocol that provides security and data integrity for network communications. TLS and SSL encrypt network connections at the Transport layer
The basic process of the SSL/TLS protocol:
(1) The client requests and validates the public key from the server side.
(2) Both parties negotiate to generate a "dialog key".
(3) The two parties use the "dialogue key" for encrypted communication.
The basic idea of the SSL/TLS protocol is to use public key cryptography, that is, the client requests the public key to the server, then encrypts the information with the public key, and the server receives the ciphertext and decrypts it with its private key.
The first two steps, also known as the handshake phase
1. First the client makes a request--ClientHello
For example: The TLS version supported by the client; Supported encryption methods; Supported compression methods; Random number generated by a client
2. Server Response--Severhello
Confirm that the encrypted communication protocol version is used, such as TLS 1.0 if the client and server versions are inconsistent, the server shuts down the cryptographic service
Confirm the encryption method used; a random number generated by a server; Server certificate
3. Client response: The certificate sent by the server will be verified first. If the certificate is not issued by a trusted authority, or the domain name in the certificate
If the actual domain name is inconsistent, or if the certificate has expired, a warning is displayed to the visitor to choose whether or not to continue communicating.
The client then removes the server's public key from the certificate and sends the following information to the server:
A random number, the random number is encrypted with the public key to prevent eavesdropping;
Code change notification, indicating that the subsequent information will be sent with mutually agreed encryption method and password;
Client handshake end Notification.
4. The server receives a third random number to decrypt the message with the private key, and then computes the session key used for this session
(At this point, the server and the client already have three random numbers, and then both sides use the previously agreed encryption method to generate the same
Session key, which is the secret key for the symmetric encryption used later, the server sends the following message to the client:
Code change notification, indicating that subsequent information will be sent with mutually agreed encryption method and key;
The server handshake end notification indicates that the server's handshake phase has ended. This is also the hash value of all the content that was previously sent,
Used for client-side validation.
After the handshake phase is over, the client and the server enter encrypted communication, which is completely using the normal HTTP protocol.
Just encrypt the content with the session key.
Three points to note in the handshake phase:
(1) A total of three random numbers are required to generate the dialog key.
(2) Dialogue after handshake use "conversation key" encryption (symmetric encryption), the server's public and private keys are used only to encrypt and decrypt the "conversation key" (Asymmetric encryption),
No other effect.
(3) The server public key is placed in the server's digital certificate.
The difference between HTTP1.0 and HTTP1.1 *******************
HTTP 1.1 overcomes the performance issues of HTTP 1.0, based on the advantages of HTTP 1.0.
1.http1.1 supports persistent connection persistent Connection and uses persistent connections by default. A new request header has also been added to this:
When the value of the connection request header is keep-alive, the client notifies the server to keep the connection after returning the request result;
When the value of the connection request header is close, the client notifies the server to close the connection after returning the request result
2.http1.1 adds a request pipeline (pipelining) mechanism, or a pipeline mechanism. That is, in the same TCP connection,
The client can send multiple requests at the same time. The pipeline mechanism allows the browser to make multiple requests simultaneously, but the server still follows
In order to respond to individual requests. The field is also added for this content-length
3. Chunked transfer encoding
The precondition for using the Content-length field is that the data length of the response must be known before the server sends a response.
For some time-consuming dynamic operations, this means that the server waits for all operations to complete before it can send data, which is obviously inefficient.
A better approach is to produce a piece of data, send a piece, and replace the "cache mode" (buffer) with a stream mode.
As long as the header information for the request or response has a transfer-encoding field, the response will be made up of an undetermined number of data blocks.
Before each non-empty block of data, there is a 16 binary value representing the length of the block. The last is a block of size 0,
The data that indicates the response is sent out.
4. Added the host domain
In HTTP1.0, each server is considered to be bound to a unique IP address, so the URL in the request message does not have a host name (hostname).
However, with the development of virtual host technology, multiple virtual hosts (multi-homed Web Servers) can exist on a physical server, and
They share an IP address. After you increase the host Request header field in HTTP 1.1, the Web browser can use the host header to explicitly indicate that you want to access
The Web site on the server, which enables the use of different host names on the same IP address and port number on a single Web server
Create multiple virtual Web sites
5. New Request method
such as Options,put, DELETE, TRACE, connect and other methods
6. Added the ability to support the delivery of part of the content
HTTP1.1 supports the transfer of part of the content. For example, when the client already has part of the content, in order to save bandwidth, you can request only a part of the server
The Range header field is introduced in the request message in http/1.1, which allows only a portion of the resource to be requested. Content-range headers in the response message
The field declares the offset value and length of the returned part of the object. The response code is 206 if the server returns the contents of the requested range of the object accordingly
(Partial Content), which prevents the cache
To mistake a response for a complete object
7. Save Bandwidth
Another scenario where bandwidth is wasted is if the request message contains larger entity content, but it is not determined whether the server can receive the request (for example, if there is permission).
If a request with an entity is made rashly, the bandwidth will be wasted if rejected.
http/1.1 added a new status code of (Continue). The client sends a request in advance for a lead-only domain, if the server denies the request because of a permission,
Echo Response code 401 (unauthorized); If the server receives this request with a loopback response code of 100, the client can continue to send the complete request with the entity.
Note that the http/1.0 client does not support 100 response codes. However, you can have the client join the Expect header field in the request message and set its value to 100-continue
8. Added some status codes
***********************session and cookie******************
the Google browser URL entry field has a circle I on the left, and there's a cookie when it's opened.
Cookie (Sweet Cakes) What is the
cookie mechanism, what is the use of, how to use
1.Http is a stateless protocol, that is, the same client this time with the next request does not have a corresponding relationship, if it is similar to the user buy something
before and after the purchase of things to be placed in the same account on the shopping cart, A mechanism is needed to ensure that the server knows each customer's identity, so that it can be the same user as the client before and after the guest
.
2.Cookie is actually a small piece of text information. The client requests the server and, if the server needs to log the user state, uses response to issue a cookie to the client's
-side browser. The client browser will save the cookie. When the browser requests the site again, the browser submits the requested URL together with the
cookie to the server. The server checks the cookie to identify the user state. The server can also modify the contents of the cookie as needed. The
Cookie object saves the user state in the form of a Key-value property pair,
A cookie object holds a property pair, and a request or response uses multiple cookies simultaneously
3. How to view cookie content
Two ways the first way to take advantage of F12 the second way on the left side of the URL can be viewed, the following image to fill the
4.Cookie several features:
①:cookie non-cross-domain name
for different domain names will have a corresponding cookie, Cookies are stored on the client and managed by the browser, and the browser can save cookies that only handle the specified domain name,
thereby guaranteeing the user's privacy. The maxage of the
②:cookie validity
Cookie determines the lifetime of the cookie, in seconds. The
client can save this cookie object in two ways, one in the client's memory, called a temporary cookie, and the cookie object disappears after the browser closes
. Another way is to keep it on the client's disk, known as a persistent Cookie. In the future, whenever the client accesses the site,
will send the cookie to the server again, provided that the cookie is within its validity period, thus enabling the customer to be tracked.
Session mechanism:
In addition to using the Cookie,web application, the session is often used to record client state. The session is a mechanism used by the server to record client status
, which is simpler than cookies and increases the storage pressure of the server. The session is another mechanism for recording customer status, with different
cookies stored in the client browser and the session stored on the server. When the client browser accesses the server, the server logs the client information to the server in some form of
. When the client browser accesses it again, it only needs to find the customer's status from that session. If the cookie machine
System is to check the customer's "pass" to determine the customer identity, then the session mechanism is to check the server on the "Customer schedule" to confirm the
customer identity. Session is equivalent to a program on the server set up a customer profile, when customers visit only need to query the customer file table on it. How is the
session implemented?
1. Using Cookies
SessionID is a session key, the first time the browser accesses the server to generate a session on the server side, there is a sessionid and it corresponds. The
Tomcat-generated SessionID is called Jsessionid. The server then sends a cookie to the client. When the client initiates the request, the
will carry the SessionID in the cookie header. This allows the server to find the session corresponding to this
client. If not found, a new session will be created.
2. If the client browser does not support cookies or prohibits cookies, the URL rewriting method can be used to get the session ID from the server.
URL Address Rewriting is a solution that does not support cookies for clients. The principle of URL address rewriting is to rewrite the ID information of the user session to the URL address. The
server can parse the rewritten URL to get the session ID. This allows you to use the session to record user status even if the client does not support cookies.
There are obvious differences between the cookie and the session:
1) The cookie saves the state on the client, and the session saves the State on the server side;
2) Cookies are small pieces of text that the server stores on the local machine and are sent to the same server with each request. Cookies are first implemented in RFC2109,
Subsequent RFC2965 have been enhanced. The Web server uses HTTP headers to send cookies to the client, and in the client terminal, the browser parses the cookies and saves them
As a local file, it automatically binds any request on the same server to these cookies. The session is not defined in the HTTP protocol;
3) session is for each user, the value of the variable is stored on the server, with a sessionid to distinguish which user session variable,
This value is returned to the server by the user's browser when it is accessed, and may be set to be returned by get to the server when the customer disables the cookie;
4) As far as security is concerned: when you visit a site that uses a session and create a cookie on your own machine, it is recommended that the session mechanism on the server side be more secure.
Because it does not arbitrarily read the information stored by the customer.
5) Cookies are not very secure, others can analyze cookies stored locally and make cookie spoofing, taking into account that security should use the session;
6) session will be saved on the server for a certain period of time. When the number of accesses increases, the performance of your server will be more expensive. In view of mitigating server performance, cookies should be used;
HTTP basic Content