HTTP packet structure and Cookie, session distinction

WWW

HTTP Hypertext Transfer Protocol

In order to make the World Wide Web customer interactions comply with strict protocols and procedures between the Web server program, it gave birth to the HTTP Hypertext Transfer Protocol.

Feature

1. The application layer of the OSI seven-layer model, http is an application protocol
2. It uses the reliable delivery of TCP connections

HTTP packet structure.

There are two types of http messages:

1. --- request packet request packet sent from the client to the server
2. --- answer response message from the server to a user terminal

Since http is text-oriented, so that each field in the packet are some of ASCII code string, and thus the length of each field is uncertain

HTTP request headers and response headers are composed of three parts. As can be seen, these two message format difference is the start line different.

1. Start line ()

   It is used to distinguish the request packet or response packet, the request packet start line is called the request line, and in the start line of the response message is called status line. Are separated by spaces between the three fields in the start line, the last CR and LF represent the "Enter" and "wraps"

2. Header row (head)

   To illustrate some of the information the browser, server, or newspaper style. The first part may have several lines, but may not be used. In each row has a header header field name and its value, where the end of each row should have the "Enter" and "wrap." At the end of the entire header row, there is a blank line entity body's first line and back separately

3. Entity body (body)

   In the request packet generally do not have this field, and in the response message may not have the field

Here are some of the features most important http request packet

1. The first line of the request message "request line" Only three elements, namely the method, URL of the requested resource, and HTTP version.

   Note: noun here "method" is the terminology used in object-oriented technology. The so-called "method" is to be the subject of the requested operation, some of these methods in fact it is a command. Thus, a request packet type is determined by its method of use. Request packet of several commonly used methods:

   HTTP1.0 request defines three methods: GET, POST, and HEAD method.

   HTTP1.1 five new request methods: OPTIONS, PUT, PATCH, DELETE, TRACE, and CONNECT method.

   method	significance
   GET	Request page information specified, and returns the entity body.
   HEAD	Similar to the GET request, returns a response but not the specific content, for obtaining the header
   POST	Submitting data to the processing request specified resource (e.g., file submission form or upload). Data contained in the request body. POST request may result in a revision to establish and / or existing resources to new resources.
   PUT	Data transmitted from the client to the server designated to replace the contents of the document.
   DELETE	Requests the server to delete the specified page.
   CONNECT	HTTP / 1.1 protocol can be reserved for connection to the proxy server pipeline mode.
   OPTIONS	It allows the client to view server performance.
   TRACE	Echo request received by the server, mainly for testing or diagnosis.
   PATCH	It complements the PUT method, used locally known resource update.

   Example: To link to "Tsinghua University Colleges" page. The HTTP request packet start line (i.e., the request line) should be note that in the space behind the GET and HTTP / 1.1 foregoing

   GET http://www.tsinghua.edu.cn/chn/yxsz/index.htm HTTP/1.1

   The following is an example of a request packet:

   GET /chn/yssz/index.htm HTTP/1.1   {请求行使用了相对URL}
   
   Host: www.tsinghua.edu.cn        {此行是首部行的开始。这行给出主机的域名}
   
   Connection: close                    {告诉服务器发送完请求的文档后就可释放连接}
   
   User-Agent: Mozilla/5.0          {表名用户代理是使用Netscape浏览器}
   
   Accept-Language: cn              {表示用户希望优先得到中文版本的文档}
   {请求报文的最后还有一个空行}

   Using a relative URL in the request line (i.e., host domain name is omitted) is because the following header row (row 2) is given a domain name host. The third line tells the server not to use persistent connections, expressed hope that the browser server closes TCP connection object is requested after the completion of the transfer. Also this request packet no physical body (body)

2. In a look at the HTTP response packet of the main features

   Each of the request packet sent, can receive a response packet. In response to the first line of the message is the status line.

   The status line includes three elements, namely HTTP version, status code, and simple phrases to explain the status code.

   Status codes are three digits, divided into five major categories of 33 species, for example:

   1 ** denotes notification information, such as the request is being processed or received

   2 ** indicates success, such as accepting or know

   3 ** indicates redirection, such as to fulfill the request must also take further action

   4 ** indicates different customers, such as the request has the wrong syntax or can not be completed

   5 ** denotes a server error, such as failure to complete the request server

   The following three states in response to packet line is often seen.

   HTTP / 1.1 200 Accepted {accepted}

   HTTP / 1.1 400 Bad Request {error} request

   HTTP / 1.1 404 Not Found {} not found

   If the requested page from http://www.ee.xyz.edu/index.html transferred to a new address, the status line of the response packet and a header line of the form is the following:

   HTTP / 1.1 301 Moved Permanently {} permanently transferred

   LOCATION: http://www.xyz.edu/ee/index.html {new URL}

Store user information (Cookie) on the server

Example:

在网上购物时，一个顾客要购买很多种物品。当他把选好的一件物品放入“购物车”后，他还有继续浏览和选购其他的物品。因此，服务器需要记住用户的身份，使他再接着选购的一些物品能够放入同一个“购物车”中，这样就便于集中结账。有时某些万维网站点也可能想限制某些用的访问。要做到这点，可以在HTTP中使用Cookie.

在RFC 2109中对Cookie进行了定义，规定万维网站点可以使用Cookie来跟踪用户。Cookie原意是“小甜饼”（广东人用方言音译为“曲奇”），目前尚无标准译名，在这里Cookie表示在HTTP服务器和客户之间传递的状态信息。现在很多网站都已广泛使用Cookie

working principle:

当用户张三浏览某个使用Cookie的网站时，该网站的服务器就为张三产生一个唯一的识别码，并以此作为索引在服务器的后端数据库中产生一个项目。接着给张三的HTTP响应报文中添加一个叫做Set-cookie的首部行。这里的“首部字段名”就是"Set-cookie"，而后面的“值”就是赋予该用户的“识别码”。例如这个首部行时这样的：
Set-cookie: 12345678
张三收到响应后，其浏览器会在管理的特定Cookie文件中添加一行，包括这个服务器的主机名和Set-cookie后面给出的识别码。张三每发一个HTTP请求报文，浏览器就会从其Cookie文件中取出这个识别码，放到HTTP请求报文的Cookie首部行中：
Cookie: 12345678
于是，这个网站就能够跟踪用户1234567（张三）在该网站的活动。服务器不需要知道这个用户的姓名和其它信息，但能够知道它在什么时间访问了什么页面，访问的顺序等。如果是网上购物，服务器可以为张三维护一个所购物品列表，一起付费。
如果张三几天后访问这个网站，那么他的浏览器会在其HTTP请求报文中继续使用首部行Cookie: 12345678，而这个网站服务器根据张三过去的访问记录可以向他推荐商品

The cookie main elements:

cookie的内容主要包括：名字，值，过期时间，路径和域。 
其中域可以指定某一个域比如.google.com，相当于总店招牌，比如宝洁公司，也可以指定一个域下的具体某台机器比如www.google.com或者froogle.google.com，可以用飘柔来做比。 
路径就是跟在域名后面的URL路径，比如/或者/foo等等，可以用某飘柔专柜做比。 
路径与域合在一起就构成了cookie的作用范围。 
如果不设置过期时间，则表示这个cookie的生命期为浏览器会话期间，只要关闭浏览器窗口，cookie就消失了。这种生命期为浏览器会话期的cookie被称为会话cookie。会话cookie一般不存储在硬盘上而是保存在内存里，当然这种行为并不是规范规定的。如果设置了过期时间，浏览器就会把cookie保存到硬盘上，关闭后再次打开浏览器，这些cookie仍然有效直到超过设定的过期时间。 

存储在硬盘上的cookie可以在不同的浏览器进程间共享，比如两个IE窗口。而对于保存在内存里的cookie，不同的浏览器有不同的处理方式。对于IE，在一个打开的窗口上按Ctrl-N（或者从文件菜单）打开的窗口可以与原窗口共享，而使用其他方式新开的IE进程则不能共享已经打开的窗口的内存cookie；对于Mozilla Firefox0.8，所有的进程和标签页都可以共享同样的cookie。一般来说是用javascript的window.open打开的窗口会与原窗口共享内存cookie。浏览器对于会话cookie的这种只认cookie不认人的处理方式经常给采用session机制的web应用程序开发者造成很大的困扰。 

下面就是一个goolge设置cookie的响应头的例子 
HTTP/1.1 302 Found 
Location: http://www.google.com/intl/zh-CN/ 
Set-Cookie: PREF=ID=0565f77e132de138:NW=1:TM=1098082649:LM=1098082649:S=KaeaCFPo49RiA_d8; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com 
Content-Type: text/html 

Cookie role:

1. Remember password, automatic login next time
2. Shopping cart functionality
3. Recording user browsing data, commodity (ad) Recommended

Cookie flaw:

1. Cookie is appended in each HTTP request, so virtually increase the flow.
2. Since the Cookie in the HTTP request is passed in clear text, it is a problem of security. (Unless the use of HTTPS)
3. Cookie size limit is about 4KB. For complex storage requirements it is not enough.

Detailed Session

Summary:

Session代表服务器与浏览器的一次会话过程，这个过程是连续的，也可以时断时续的。Session是一种服务器端的机制，Session 对象用来存储特定用户会话所需的信息

working principle:

当用户访问到一个服务器，如果服务器启用Session，服务器就要为该用户创建一个SESSION，在创建这个SESSION的时候，服务器首先检查这个用户发来的请求里是否包含了一个SESSION ID，如果包含了一个SESSION ID则说明之前该用户已经登陆过并为此用户创建过SESSION，那服务器就按照这个SESSION ID把这个SESSION在服务器的内存中查找出来（如果查找不到，就有可能为他新创建一个），如果客户端请求里不包含有SESSION ID，则为该客户端创建一个SESSION并生成一个与此SESSION相关的SESSION ID。这个SESSION ID是唯一的、不重复的、不容易找到规律的字符串，这个SESSION ID将被在本次响应中返回到客户端保存，而保存这个SESSION ID的正是COOKIE，这样在交互过程中浏览器可以自动的按照规则把这个标识发送给服务器。

effect

1. Determine whether the user is logged
2. Shopping cart functionality

Cookie and session of difference

1. Different storage location

   Cookie保存在客户端，Session保存在服务端。

2. Different ways of access

   Cookie中只能保管ASCII字符串，假如需求存取Unicode字符或者二进制数据，需求先进行编码。Cookie中也不能直接存取Java对象。若要存储略微复杂的信息，运用Cookie是比拟艰难的。 
   
   而Session中能够存取任何类型的数据，包括而不限于String、Integer、List、Map等。Session中也能够直接保管Java Bean乃至任何Java类，对象等，运用起来十分便当。能够把Session看做是一个Java容器类

3. Security (privacy policy) different

   Cookie存储在浏览器中，对客户端是可见的，客户端的一些程序可能会窥探、复制以至修正Cookie中的内容。而Session存储在服务器上，对客户端是透明的，不存在敏感信息泄露的风险。 假如选用Cookie，比较好的方法是，敏感的信息如账号密码等尽量不要写到Cookie中。最好是像Google、Baidu那样将Cookie信息加密，提交到服务器后再进行解密，保证Cookie中的信息只要本人能读得懂。而假如选择Session就省事多了，反正是放在服务器上，Session里任何隐私都能够有效的保护

4. Validity of different

   只需要设置Cookie的过期时间属性为一个很大很大的数字，Cookie就可以在浏览器保存很长时间。 由于Session依赖于名为JSESSIONID的Cookie，而Cookie JSESSIONID的过期时间默许为–1，只需关闭了浏览器（一次会话结束），该Session就会失效。

5. Pressure caused by different server

   Session是保管在服务器端的，每个用户都会产生一个Session。假如并发访问的用户十分多，会产生十分多的Session，耗费大量的内存。而Cookie保管在客户端，不占用服务器资源。假如并发阅读的用户十分多，Cookie是很好的选择

6. Difference in cross-domain support

   Cookie支持跨域名访问，例如将domain属性设置为“.baidu.com”，则以“.baidu.com”为后缀的一切域名均能够访问该Cookie。跨域名Cookie如今被普遍用在网络中。而Session则不会支持跨域名访问。Session仅在他所在的域名内有效。