HTTP Session Management

1, Content-type

Send a worthwhile MIME type, which can be set through the form element of HTML. The default is application/x-www-form-urlencoded. The combination of the format "name = value" is connected by &, and the name and value are encoded by percent.

2, Percent semicolon code

Chinese and special symbols cannot be used directly for URLs, and they need to be encoded with a percent sign to be used for URLs.

The percent-semicolon encoding converts characters in bytes into%xx form. The Chinese "de" carries on the UTF-8 code, can obtain E5 be B3 byte column, the percent semicolon encodes is%e5%be%b3.

According to the percent encoding rule, the space should be%20, but in the case of application/x-www-form-urlencoded, the space is specially processed into the + number.

3, Referer

The link source page of the current page.

A request sent by a FORM element, a link generated by a element, or an image of an IMG element can also produce Referer header information.

4. Use differences between GET and post

*get method only for lookup (get resources)

The *get method is considered to have no side effects (side effects are refers to QI, except for obtaining the contents of the resource. ）

* The Post method should be used when sending sensitive data

The Get method uses the URL followed by the query string to pass parameters, because the browser and server can handle the length of the URL is limited, so when the amount of information passed is very large, the use of the Post method is more secure.

The Get method has the following risks:

The parameters specified in the URL are leaked via referer;

The parameters specified in the URL remain in the access log.

5, Hidden, cookies, session

In the case of authentication and authorization information, it is necessary to be wary of information that is changed by the user and should be kept in session variables.

In addition to the information, you should first consider whether you can save in the hidden parameter.

In the pre-logon state, because there is no information related to authentication and authorization, in principle, you should avoid using session variables, but instead use the hidden parameter to prevent information disclosure.

6. HTTP Authentication function

Basic authentication, NTLM authentication, Digest authentication and so on.

Basic certification:

Under this authentication, when the browser requests a Web page that requires authentication, the server will first return the "401 Unauthorized (unauthenticated)" Status code to the browser. When the browser receives the status code, it displays a screen asking for the ID and password, and then adds the input ID and password T to the request message and sends it to the server again.

Basic authentication is implemented mostly by setting up a Web server and also by writing code.

Authorization Header information: The string content after basic, followed by the ID and password with a colon-like string, after Base64 encoded results.

Once the authentication is successful, the browser automatically comes with the authorization message header when the request is sent to the requested directory. The authentication dialog box is displayed only once at the initial time, and the ID and password are sent on each request, and the authentication status is not saved anywhere. Basic authentication is stateless and there is no concept of logoff.

7. Authentication and Authorization

Certification: Through a number of means to confirm that the operator is really himself.

Authorization: Grants some permissions to users who have already passed authentication.

8. Cookie Session Management

Appendix:

The percent-semicolon code belongs to the specification of the URL (URI), and application/x-www-form-urlencoded belongs to the specification of HTML, which has subtle differences.

HTTP Session Management