Article From:

  •  Basic authentication (low security level, not used by most websites)
  • DigestCertification: (not much)
  • SSLClient authentication: (with client certificate authentication, such as Internet banking landing)
  • Form authentication: username / password. (commonly used)



SSLClient authentication uses two-factor authentication

SSLThe client certificate is used to authenticate the client computer, and then a form-based authentication password is used to confirm that it is the user’s own behavior.


8.5Form Based Authentication

There are no common standards for form authentication, and there are different ways of expression on every Web website.

The principle is to authenticate users sent by the client through the server’s Web application by matching them with the previously logged-in information.


8.52 SessionManagement, Cookie application

Cookie is commonly used to manage Session.(To make up for the state management function that does not exist in HTTP protocol.




9 Functional appending protocol based on HTTP

9.2 SPDY to eliminate bottlenecks

Google2010Published in 2003.

SPeeDY: Solve HTTP performance bottleneck and shorten page loading time

9.21 bottleneck

FacebookIn order to display these updates as real-time as possible, we need to update them on the server, so we need to feedback them to the client directly.

  • A connection can send only one request.
  • Requests can only start from the client. The client can not receive instructions other than response.
  • The request / response header is sent without compression. The greater the first information, the greater the delay.
  • Sending lengthy headers, wasting the same head at the same time each time.


Asynchronous JavaScript and XML technology: Effective use of JavaScript and DOM operations to achieve local Web page replacement loading means of communication.

The core is the API of XMLHttpRequest, and HTTP communication can be done with the server through the call of Js.

Defect: the problem of HTTP protocol has not been solved yet.


Add the session layer between the application layer and the transport layer.

  • Multiplex streams: single TCP connections can handle multiple requests without restriction.
  • You can give priority to requests.
  • Compress HTTP header
  • Push: the server initiatively pushes data to the client. No client request is required.

But when a web website uses resources from multiple domains, the improvement effect is limited.


9.3WebSocket  Full duplex communication

In the WebSocket API, browsers and servers only need to shake hands once, and a persistent connection can be created between the two directly, and two-way data transmission can be carried out.


  • Push function: the server sends data directly to the client without initiating request on the client side.
  • Reduce traffic: header information is small.

First handshake steps:

  • Handshake request: add in header fields Upgrade: websocketAnd so on.

Sec-WebSocket-key: A string of random characters.Record the essential key values in the handshake process.

Sec-WebSocket-Protocol:chat, superchat,  Sub protocols used for recording

⚠️: Upgrade: websocketAnd Connection: Upgrade;

  • Handshake response: return status code: to previous request.101 Switching Protocols,

Sec-WebSocket-Accept: A string of random characters. This string is generated by Sec-WebSocket-key in the handshake request.


9.4 HTTP2.0

更快更安全: 每個網站都應該升級到 HTTP/2

9.5 WebWebDAV for service management files

web-based distributed authoring and versioning

A distributed file system that copies files directly from the Web server and edits comprehensive file management operations.

As an extension of HTTP1.1, it is defined in RFC4918.


Leave a Reply

Your email address will not be published. Required fields are marked *