2. Authentication
• Many sites require users to provide a
username and a password in order to access
the documents housed on the server.
• This requirement is referred to as
authentication.
• HTTP provides special status codes and
headers to help sites perform authentication
3. Suppose a client requests an object from a server, and
the server requires user authorization.
1. The client first sends an ordinary request message
with no special header lines.
2. The server then responds with empty entity body
and with a 401 Authorization Required status code.
In this response message the server includes the
WWW-Authenticate: header, which specifies the
details about how to perform authentication.
3. The client receives the response message and
prompts the user for a username and password. The
client resends the request message, but this time
includes an Authorization: header line, which
includes the username and password.
4. • After obtaining the first object, the client
continues to send the username and
password in subsequent requests for objects
on the server.
5. Cookies
• Cookies are an alternative mechanism for sites
to keep track of users.
• Suppose a client contacts a Web site for the
first time, and this site uses cookies.
• The server’s response will include a Set-
cookie: header.
• Often this header line contains an
identification number generated by the Web
server.
• For example, the header line might be:
Set-cookie: 1678453
6. • When the the HTTP client receives the response
message, it sees the Set-cookie: header and
identification number.
• It then appends a line to a special cookie file that is
stored in the client machine.
• This line typically includes the host name of the
server and user's associated identification number.
• In subsequent requests to the same server, say one
week later, the client includes a Cookie: request
header, and this header line specifies the
identification number for that server.
• In the current example, the request message
includes the header line:
Cookie: 1678453
7. Web servers use cookies for many different
purposes:
• l If a server requires authentication but doesn't
want to hassle a user with a username and
password prompt every time the user visits the
site, it can set a cookie.
• l If a server wants to remember a user's
preferences so that it can provide targeted
advertising during subsequent visits, it can set a
cookie.
• l If a user is shopping at a site the server can use
cookies to keep track of the items that the user
is purchasing.
8. The Conditional GET
• By storing previously retrieved objects, Web
caching can reduce object-retrieval delays and
diminish the amount of Web traffic sent over
the Internet.
• HTTP has a mechanism that allows the client
to employ caching while still ensuring that all
objects passed to the browser are up-to-date.
This mechanism is called the conditional GET.
9. The Conditional GET...
• An HTTP request message is a so-called
conditional GET message if
– the request message uses the GET method and
– the request message includes an If-Modified-
Since: header line.
10. The Conditional GET...
• First, a browser requests an uncached object
from some Web server:
GET /fruit/kiwi.gif HTTP/1.0
User-agent: Mozilla/4.0
Accept: text/html, image/gif, image/jpeg
11. The Conditional GET...
• Second, the Web server sends a response
message with the object to the client:
HTTP/1.0 200 OK
Date: Wed, 12 Aug 1998 15:39:29
Server: Apache/1.3.0 (Unix)
Last-Modified: Mon, 22 Jun 1998 09:23:24
Content-Type: image/gif
data data data data data ...
12. The Conditional GET...
• The client displays the object to the user but
also saves the object in its local cache.
• Importantly, the client also caches the last-
modified date along with the object.
• Third, one week later, the user requests the
same object and the object is still in the cache.
13. The Conditional GET...
• Since this object may have been modified at the
Web server in the past week, the browser
performs an up-to-date check by issuing
conditional GET. Specifically, the browser sends
GET /fruit/kiwi.gif HTTP/1.0
User-agent: Mozilla/4.0
Accept: text/html, image/gif, image/jpeg
If-modified-since: Mon, 22 Jun 1998 09:23:24
14. The Conditional GET...
• Note that the value of the If-modified-since:
header line is exactly equal to value of the
Last-Modified: header line that was sent by
the server one week ago.
HTTP/1.0 304 Not Modified
Date: Wed, 19 Aug 1998 15:39:29
Server: Apache/1.3.0 (Unix)
(empty entity body)