HTTP with Sessions and Cookies

HTTP Requests and Responses

Client-Server Architecture

Client-Server Model: The exchange of information through a cycle of requests and responses between clients and servers

Typical client-server communication:

1. The client communicates with a server to request resources
2. The server queries the resources from its connected internal servers
3. The server sends a response back to the client

HTTP Requests

In order for clients and servers to communicate over the web, they must use the HTTP Protocol

HTTP is an OSI Layer 7: Application protocol used to transfer resources over the internet

A client generates an HTTP Request when initiating communication with a server, in which the server receives the request, then locates and sends the requested resource back to the client

HTTP Methods

• GET: Requests data from a server
• HEAD: Identical to GET, but the server does not send the response body
• POST: Sends data to a source
• PUT: Replaces the current data with the new value
• DELETE: Deletes a specified resource
• CONNECT: Establishes a tunnel to the server
• OPTIONS: Lists the communication options for target resource

Anatomy of a GET Request

• Request Line: Contains the request method, name of the requested resource, and HTTP version
  • Can also contain query parameters
• Headers: Contain details about the resource
• Whitespace: Blank line indicating the end of the request

Anatomy of an HTTP Response

• Status Line: Contains the response status code and translation
• Response Body: Contains the resource requested by the client

GET Requests

GET Requests are used for receiving information fro an HTTP server

• Request Line:
  • GET: Request method
  • /js/analytics.js: Requested resource, which is the file path from a domain stated in the header (Host)
  • HTTP version 1.1: Protocol version used by the browser
• Header Section:
  • Connection: keep-alive: Instructs the server to keep open the TCP connection used for the HTTP transfer after sending the response
    • Allows the client-server to reuse the TCP connection for later HTTP requests
    • The alternative is performing a TCP handshake: opening a connection, transferring the request and response, closing the connection, and repeating the request for each response cycle
    • This would result in slower transfers
  • Host: www.target-server.com: Contains the domain name of the target server
  • Upgrade-Insecure-Requests: 1: Instructs the server to convert the HTTP connection into HTTPS
  • Accept: text/html/, text/js, */*: Instructs the server that the client expects to receive a JavaScript or HTML document response, but will accept data of any type
  • User-Agent: Mozilla/4.0: Instructs the server that this request is coming from a Mozilla 4.0 browser

GET requests can also request data with query parameters, which are used for specifying which parts of a resource to receive or send data to:

• The request line contains the specific parameters: /articles?tag=latest&author=jane

Syntax for query parameters: [path]?[firstParam]=[value]&[secondParam]=[value]

POST Request

• Structure is similar to a GET request, but includes a request body below the whitespace

HTTP Responses

• Status Line:
  • HTTP/1.1: Protocol in use
  • 200 OK: Status code
• Headers:
  • Date: Timestamp of when the response was generated
  • Server: Apache/2.4.7 (Ubuntu): Indicates server is running Apache 2.4.7 on Ubuntu
  • X-Powered-By: PHP/5.5.9-lubuntu4.21: Indicates the servers is running PHP 5.5.9 on Lubuntu with kernel version 4.21
    • Set-Cookie: SESSID=8toks; httponly: Instructs the client to create a cookie called SESSID with the value of 8toks, and that this cookie can only be set by the server with HTTP

Using curl

Running curl with only a URL executes a basic GET request, which will return all of the HTML that makes up the requested page

curl --head will only respond with the response header:

curl --head <https://posthere.io>

HTTP/1.1 200 OK
Server: nginx/1.9.2
Date: Wed, 22 Sep 2021 02:33:31 GMT
Content-Type: text/html
Content-Length: 12905
Last-Modified: Thu, 26 Mar 2020 17:34:43 GMT
Connection: close
ETag: "5e7ce7b3-3269"
Accept-Ranges: bytes

• Content-Type: text/html: Indicates the type of the response body
• Server: nginx/1.9.2: Indicates the type of server sending the response

To send a POST request, use -X POST with curl:

curl -X POST <https://posthere.io/09cc-48cc-8720?query=parameter>

• 09cc-48cc-8720: The endpoint being posted to
• query=parameter: The query and its value being posted

To create a POST request with plain data, use the -d option:

curl -X POST -d "test data" <https://posthere.io/a18c-4434-bb1a>

To create a POST request with JSON data, use the -H option:

curl -X POST -d "{\\"jsonKey1\\": \\"jsonValue1\\", \\"jsonKey2\\": \\"jsonValue2\\"}" -H "Content-Type: application/json" <https://posthere.io/7d85-4c0b-ad4d> 

Sessions and Cookies

HTTP resources are inherently stateless, meaning that there is no way to distinguish one user from another

Websites use sessions with cookies to deliver user specific content

Sessions: Unique server-side sets of user data that are used to customize webpages depending on the specific user accessing them

Cookies: Small pieces of text data that once sent by an HTTP server’s response header are saved by the user’s HTTP client

Cookie Session Example:

1. A user visits a shopping site and is presented with a default page
2. The user adds an item to their shopping cart, and this action is configured to send a POST request to the HTTP server that includes the data of the recently added item
3. When the website receives the request, it instructs the database to create a unique cookie and link it to the user’s session
   1. The session in the database stores a list of the items in the user’s cart
4. The HTTP server then retrieve’s the user’s shopping cart session from the database and responds back to the user’s client with Set-Cookie:cart=user in the response header, and a response body containing the user’s updated cart contents
5. The user’s client saves the new cookie locally
6. Any new request made by the user’s browser will send the cookie back via a request header (Cookie: cart=user) to the HTTP server

Microservices and Web Application Architecture

Application Structure

Components of a Typical Web App

Front-end Server: Responsible for displaying webpages and styling them in a readable format, as well as responsible for receiving and responding to HTTP requests

Back-End Server: Executing business logic and writing or reading corresponding data to and from a database

Database: Stores information about employees

Information Flow Between Application Components

1. The user loads an application in their browser and selects a button to view data
2. The front-end server forwards the HTTP request to the back end
3. The back-end server runs a script that queries the database for the requested data
4. The database searches for the requested data
5. The back-end script forwards the data to the front-end server
6. The front-end server prepares a new webpage containing the requested data
7. The browser displays the new page to the user

Monolith vs. Microservices

Monolith: A singular machine that hosts all the components required to serve a website or application

If a component of the machine malfunctions, the application will stop working

Microservices

In microservice architecture, each independent machine is a component that executes one primary function or service

Benefits of Microservices include:

• Scalability and resiliency
• Rapid response
• Isolated improvement