HTTP

1
HTTP

• The HyperText Transfer Protocol

2
Objectives

• Introduce HTTP
• Introduce HTTP support in .NET

3
Content

• Whats the purpose?
• HTTP Messages Bottom up Overview
• Requests and Responses
• State/Session Management Cookies
• Security Challenge and Response Authentication
• HTTP and .NET

4
Whats the End Goal?

• Make it possible to share information
• Publish some kind of resource
• Written information
• A software application
• Data from a database
• Whatever!

5
Overview of How it Works

• A host makes resources available
• A Resource is identified by a Universal Resource
  Identifiers
• The host listens for requests for its resource(s)
• It listens using what is called a port
• The HTTP port can be any numeric value but 80
  is the default
• Clients request a resource from the host
• Provides a scheme HTTP
• Provides a Universal Resource Identifier (URI)
• May specify the port with which to talk
• The host responds!

6
HTTP Defined 1/3

• HTTP HyperText Transfer Protocol
• Application level protocol
• HTTP communication usually takes place over
  TCP/IP
• This is not a requirement, but most often the case

7
HTTP, TCP/IP and the OSI Model
TCP/IP
OSI Model
HTTP/1.1
8
HTTP Request / Response in Action
Client
Server
HTTP Request
HTTP Response
9
HTTP Defined 2/3

• It is a request/response protocol
• A client sends a request to a server
• Requests are made to a specific resource more
  later
• The server returns a response
• Message based communication

10
HTTP Defined 3/3

• Designed for distributed, collaborative
  information systems
• Designed specifically for HyperMedia or
  HyperText
• Generic, stateless protocol
• HTTP/1.1 extends the previous version HTTP/1.0
• Digest authorization, persistent connections,etc
• The Web as you know it is built on HTTP!

11
HTTP/1.1 vs. HTTP/1.0

• Persistent connections
• Default behavior is now persistent connections
• Replace the practice of using Keep-alive
  messages
• Additional status codes
• 1xx status codes introduced

12
Protocol Parameters of Interest

• HTTP Version
• Uniform Resource Identifier (URI)
• Date and Time Formats
• Character sets
• Content codings
• Transfer codings
• Chunked transfer codings

13
Messages

• Only two types of messages in HTTP
• Request
• Response
• Types of messages differ only in the their start
  line
• Messages contain zero or more headers
• Provide information about the message
• Depend on the type and the message content
• May contain a message body

14
A Message by Example
HTTP/1.1 200 OKServer Microsoft-IIS/5.0Date
Tue, 27 Mar 2001 103530 GMTContent-Type
text/htmlAccept-Ranges bytesLast-Modified
Tue, 27 Mar 2001 103452 GMTETag
"8c70de8ea9b6c01d0dContent-Length 488lthtmlgt
ltheadgt lttitlegt Test Page For HTTP lt/titlegt
lt/headgt ltbodygt ltpgt ltimg
src"IN00483_.gif" width"36" height"35"gt
Test Page! lt/pgt lt/bodygtlt/htmlgt
15
Message Dissected by Diagram

• Request Line
• Method
• Request URI
• HTTP Version Info

• Response Line
• (a.k.a. Status Line)
• HTTP Version Info
• Status Code
• Description

Headers
Message Body
16
Message Body Overview

• Used to carry an entity body
• Entity differs from message body when encoding
  exist
• Example the entity body is compressed
• It is an Octet an 8-bit sequence of data
• May be divided into pieces and sent in chunks
• When size cannot be predetermined
• Reassembled during reception of the messages
• Messages do not have to have a message body
• Some messages cannot have a message body

17
Examples of a Message Body

• A Web page!
• The text to render as the page is the body
• Login information or other form data
• Shopping information item you wish to buy
• Data from a data source

18
Overview of Headers

• Provide information about the message
• This may be about the entire message
• The length of the message
• Date or time when the message was generated
• The message body specifically
• Is it compressed or otherwise transformed in
  some way?
• Or the method
• Request information only after a certain date
  and/or time

19
Header Syntax

• Each message header is a value pair
• header name header value
• The header value can be a separated list
• Examples
• Content-Encoding gzip, abc, xyzAccept
  audio/Accept text/html, text/plain, text/pdf
• Headers are case insensitive

20
Types of Headers

• Several types of headers
• General
• Request
• Response
• Entity
• Best Practice Order the headers from General
  to Entity

21
General Headers

• Applicable to both requests and responses
• Apply only to the transmitted message
• Examples of general headers
• Connection Connection options
• Date Date time at which message was originated
• Via Used for tracking message forwards
• etc

22
Entity Headers

• Give meta-information
• About the entity-body being transferred
• Or, if no entity-body exists, about the resource
  of the request
• Apply only if a message body exists
• Examples of entity headers
• Allow List of methods supported by the resource
• Content-Encoding Indicates types of content
  codings applied
• Content-Language Language of the intended
  audience
• Content-Length Size of entity-body
• Expires Date/time after which response is
  considered stale
• etc

23
Requests Headers

• Additional information about the request
• May include information about the client (or
  sender) itself
• Examples of request headers
• Accept Specifies media types acceptable for
  response
• Accept-Charset Indicates acceptable character
  sets
• Accept-Encoding Similar to Accept specific to
  encodings
• Accept-Language Limits response to preferred
  languages
• Host Specifies the host (optional) port of the
  resource
• etc

24
Responses Headers

• More information than available from just the
  status line
• May be information about the server or the
  resource
• Examples of response headers
• Age Estimate of time since response was
  generated
• ETag Current value of the entity tag
• Location Used to redirect to a different
  location (URI)
• Proxy-Authenticate Proxy authentication
  challenge
• Retry-After Expected time that a service will be
  unavailable
• Server Information about the server software
  used
• WWW-Authenticate Authentication challenge
• etc

25
Three Parts of a Request Line

• Request Method
• Request URI
• HTTP version information which protocol are we
  using?

26
Request Methods

• Indicates the type of request to perform
• Request methods of interest
• GET (or retrieve) information from the resource
  server
• POST the information back to the resource
  server
• A few other request methods of interest
• DELETE the information from the resource server
• PUT the information at the resource location
• HEAD Like GET but only returns meta-information
• OPTIONS Gets the communication available

27
Uniform Resource Identifier (URI)

• Identifies a (network) resource
• RFC 2396 defines syntax and semantics of URIs
• May be an absolute or relative address
• The resource syntax
• http_URL "http" "//" host "" port
  abs_path "?" query

28
Universal Resources URI, URL, URN

• Three types of resources, all acceptable!
• Universal Resource Identifier (URI)
• Universal Resource Location (URL)
• Universal Resource Name (URN)
• No limits on character length of a URI
• But the server may artificially constrain
  length - typically 4-8 KB
• Examples of HTTP resource
• http//www.myCo.com/Some/Other/Resource

29
HTTP Version

• Used by sender to notify receiver of its
  abilities
• Version information is included in first line of
  message
• Uses ltmajorgt . ltminorgt numeric notation
• Examples 1.0 or 1.1
• ltmajorgt number indicates the message format
• ltminorgt number indicates extensions to major
  format
• HTTP-Version "HTTP" "/" 1DIGIT "." 1DIGIT
• Examples HTTP/1.0 or HTTP/1.1

30
Response Line Dissected

• HTTP Version Information
• Status Code
• Status Description

31
Status Codes Descriptions

• Status Code
• Conveys information about the response
• 3-digit result code
• Intended for use by automata
• Reason phrase or description
• Text description of the status code
• For presentation to the user
• Existing phrases are only suggestions - may be
  modified

32
Status Codes 5 Categories

• 1xx Informational
• Request received and processing is continuing
• 2xx Success
• The action was successfully received, understood,
  accepted
• 3xx Redirection
• Further action must must be taken to complete the
  request
• 4xx Client Error
• A client error occurred
• 5xx Server Error
• A server error occurred

33
Status Codes of Interest 1/2

• 100 Continue
• Tells the client to continue with a request
• 200 OK
• The request has succeeded
• Information returned depends on the type of
  request
• 202 Accepted
• The request has been accepted but not processed
• 302 Found
• Resource requested found but temporarily moved

34
Status Codes of Interest 2/2

• 400 Bad Request
• The request could not be understood
• 401 Unauthorized
• The request requires proper authorization
• 403 Forbidden
• The client may not access the resource
• 500 Internal Server Error
• The server encountered an unexpected error
• The request was not fulfilled
• 505 HTTP Version Not Supported
• The server does not or will not support the HTTP
  version

35
Persistent Connections

• Default behavior of connections in HTTP/1.1
• Faster and more efficient than temporary
  connections
• Fewer connections require less resources
• Request and responses can be pipelined in one
  connection
• Reduced number of packets generated
• Reduced TCP handshaking performed
• Summary of Benefits
• Decreased Internet congestion
• Decreased load on the server CPU, memory, etc

36
Cookies State/Session Management

• HTTP is stateless by definition
• Achieve state/session management using cookies
• Defined and described in RFC 2965
• Intent is to have 1 cookie per host or group of
  related hosts
• Created and stored on the client
• Accomplished using Cookie2 and Set-Cookie2
  headers
• Contain attribute value pairs
• Not designed or intended to hold authentication
  information
• Cookie information is unprotected

37
Baking and Eating Cookies

• State/session initiated by server not the
  client
• Sends a response which includes the Set-Cookie2
  header
• Set-Cookie2 may have a predefined attribute
  values pairs
• Max-Age Defines the maximum lifespan of the
  cookie
• Version Version of the state management
  specification
• Discard Tells client to discard the cookie when
  it terminates
• etc
• Client response includes the Cookie2 header

38
Cookies in Action
Server
Client
POST /foo/login HTTP/1.1 some form data
HTTP/1.1 200 OK Set-Cookie2 Customeryou
Version1 Path/foo
POST /foo/bar HTTP/1.1 Cookie2 Version1
Customeryou Path/foo some form data
HTTP/1.1 200 OK
...
39
HTTP/1.1 Authentication

• Basic and Digest Access Authentication
• Described and defined in RFC 2617
• Supports basic authentication of HTTP/1.0
• Adds digest based authentication
• Challenge / response authorization scheme
• Used for both basic and digest based
  authentication

40
Challenge / Response in Action
41
Basic Authentication

• User name and password are passed as clear text
• Client requests a resource
• Server challenges the request
• Sends an HTTP/1.1. 401 Unauthorized response
• Includes the WWW-Authenticate header
• Provides the realm or protected space accessed
• Client responds by resending request with
  credentials
• Includes the Authorization header

42
Basic Authentication in Action
Client
Server
GET www.myCo.com HTTP/1.1
HTTP/1.1 401 Unauthorized WWW-Authenticate Basic
realmwww.myCo.com
GET www.myCo.com HTTP/1.1Authorization Basic
user_id password
43
Digest Authentication 1/2

• User name and password are not passed as clear
  text
• Client and server use a common hashing algorithm
• This algorithm is used to mask the user and
  password
• Same algorithm must be supported by both client
  and server
• Default hashing algorithm is MD5
• Possible to define your own algorithm(s)
• Does not provide any encryption of the message
• Encryption can be done but is not part of the
  specification

44
Digest Authentication 2/2

• Client requests a resource
• Server challenges
• Client responds
• Concatenates user name, realm and password
• user_name realm password
• Generates a hash using the concatenated value
• Sends the response
• Server uses the same algorithm to authorize the
  Client
• Server sends back an acknowledgment of success

45
Digest Authentication in Action
Client
Server
GET www.myCo.com HTTP/1.1
HTTP/1.1 401 Unauthorized WWW-Authenticate
Digest realmwww.myCo.com ...
GET www.myCo.com HTTP/1.1Authorization Digest
user_name...
Response with Authentication-Info header
46
System.Net HTTP Support Extracted

• Provides simple interface to network protocols
• WebRequest WebResponse
• Base classes for request/response model in .NET
• Protocol agnostic abstract classes
• Should not be created directly
• Use WebRequestFactory.Create( ... )

WebRequest req reqWebRequestFactory.Create(http
//www.myCo.com)
47
HTTP Support in System.Net

• HttpWebRequest Derived from WebRequest
• HttpWebResponse Derived from WebResponse
• HttpVersion Encapsulates the HTTP version
• HttpStatusCode Contains the HTTP status codes
• etc

48
HttpWebRequest

• HTTP specific implementation of WebRequest
• HttpWebRequest objects should not be created
  directly
• Create a WebRequest using the WebRequestFactory
• WebRequestFactory will decide if HttpWebRequest
  needed
• Provides methods to ease working with HTTP
  requests
• GetResponse Gets the response from the request
• GetResponseStream Gets a Stream to write the
  request data
• etc

49
Properties of Interest

• Method Gets/sets the request method
• RequestURI Gets the original request URI
• ProtocolVersion HTTP version in use (1.0 or 1.1)
• Headers Collection of request headers
• Additional components of an HTTP request

50
HttpWebResponse

• HTTP specific implementation of WebResponse
• HttpWebResponse objects should not be created
  directly
• Returned by call to WebRequest.GetResponse()
• Provides methods to ease working with HTTP
  responses
• GetResponseHeader Gets the value of a specified
  header
• GetResponseStream Gets a Stream for reading the
  response body
• etc

51
Properties of Interest

• ProtocolVersion HTTP version in use (1.0 or 1.1)
• Status Gets the status code
• StatusDescription Gets the status description
• Headers Collection of response headers
• etc

52
HttpWebRequest/Response in Action
// Issue a request... HttpWebRequest req
req(HttpWebRequest) WebRequestFactory.Create
("http//www.myCo.com/") // Retrieve the
response...HttpWebResponse result(HttpWebRespons
e)req.GetResponse() // Print the
response...Stream resStream result.GetResponseS
tream() Byte read new Byte512 int bytes
ReceiveStream.Read(read, 0, 512)
Console.WriteLine(Your HTML...\r\n")
while (bytes gt 0) Console.Write(
System.Text.Encoding.ASCII.GetString(read, 0,
bytes) ) bytes ReceiveStream.Read(read, 0,
512)
53
Summary

• HTTP is an application protocol
• The World Wide Web runs on it
• Its a simple but robust message based protocol
• Its designed for more than just the Web
• HTTP is fully supported in.NET

54
Section 5 QA