State and the web

Written on 26 February 2017, 06:26pm

Tagged with: , , ,

How do you get around the stateless nature of the web?

The HTTP protocol (along with other building blocks of the web, like IP and HTML) is stateless by design. This means that each connection is made up of a request and response, without any reference to earlier/later connections. “Users don’t log in to the Web, nor do they ever log out”. So without any intervention, each connection to a website (each page visit) is independent from the others.

How do you get around that?
Well, 3 possibilities, all of them using existing elements of the HTTP protocol:
1. HTTP Headers: cookies
2. HTTP URL: query string parameters
3. HTTP Body: POST (form) data
Important to note is that each of these can be altered (spoofed) by the client.

HTTP/2 is still stateless, but has some stateful components

HTTPS is stateless as well. Just because there is a TLS handshake at the beginning does not make the connection stateful. The stateful protocol is TLS, but HTTPS remains stateless, just as HTTP.

Example of a stateful protocol: FTP. “FTP has a stateful control connection which maintains a current working directory and other flags, and each transfer requires a secondary connection through which the data are transferred” (wikipedia)

Summing up:
Stateless: HTTP, HTTPS, IP
Stateful: TCP, TLS, FTP

https://xkcd.com/869/

How to send data from server to client over the web

1: Long polling the client polls the server; the server holds the request open until new data is available. Then the server responds and sends the new information. When the client receives the new information, it immediately sends another request.
2: Server Push – available in HTTP/2: client requests index.html, server responds with index.html but also with style.css and script.js, before the client parses index.html and asks for them
3. WebSockets (ws:// and wss://) – are a HTML5 feature aimed to address the request/response architecture of the web. There is an persistent connection between the client and the server and both parties can start sending data at any time.

Related links:

What really happens when you navigate to a URL
Understanding the concepts of Transport Security Layer (TLS)
How HTTP/2 will speed up your web browsing
XKCD: Server Attention Span
ColdFusion Book
An Introduction to WebSockets

Currently, HTTP servers respond to each client request without relating that request to previous or subsequent requests; the state management mechanism allows clients and servers that wish to exchange state information to place HTTP requests and responses within a larger context, which we term a “session”. This context might be used to create, for example, a “shopping cart”, in which user selections can be aggregated before purchase, or a magazine browsing system, in which a user’s previous reading affects which offerings are presented.

Neither clients nor servers are required to support cookies. A server MAY refuse to provide content to a client that does not return the cookies it sends.
https://tools.ietf.org/html/rfc2965

Random things that keep me busy

Written on 2 November 2013, 11:52pm

Tagged with: , , , , , , ,

HTTP 2.0: Google vs Microsoft compete for IETF specifications

HTTP 1.1 is backing up the web as we know it, but it starts to show up its age.

Google already built SPDY – a protocol that proves to be twice as fast as HTTP. Remember the OSI Model layer stack? SPDY adds a session layer atop of SSL that allows for multiple concurrent, interleaved streams over a single TCP connection. The main features of SPDY are:
– Multiplexed streams
– Request prioritization
– HTTP header compression
– Server push
– Server hint
More details about SPDY: http://dev.chromium.org/spdy/spdy-whitepaper

Microsoft came later in the game with a kinky proposal: HTTP S&M, Speed and Mobility. The HTTP Speed+Mobility proposal starts from both the Google SPDY protocol and the work the industry has done around WebSockets. Microsoft seems to be less concerned with speed, and more concern with the mobile apps and devices, as well as backwards compliance. As far as the Web sockets are concerned, they are a HTML5 feature aimed to address the request/response architecture of the web. There is an persistent connection between the client and the server and both parties can start sending data at any time.

A good comparative analysis here: S&M vs. SPDY: Microsoft and Google battle over the future of HTTP 2.0

In one-year time, IETF should come up with a proposal for the HTTP 2.0. Note to self: check back next year 🙂

What really happens when you navigate to an URL

Speaking about HTTP: A nice refresher about how the current HTTP (1.1) works:
http://igoro.com/archive/what-really-happens-when-you-navigate-to-a-url/
DNS caching, CDN, ETag headers, Content-Encoding gzip, long-polling and the rest…

Review your privacy and cookies policy

Speaking about cookies, from a technical point of view, the only things you need to remember are the cookie attributes: name, value, domain, path, expires, secure, httponly. Server sets them, browser saves them and sends along with the subsequent requests. Ah, and don’t forget about session vs persistent cookies (see the ‘expires’ attributes).

Then, in the recent context of privacy and data protection, as a site owner it’s a good a idea to have a cookie audit. Not necessarily to comply with the EU’s privacy directive (the Cookie law), but because it’s good for the site owners and their users to have clearer policies and information on privacy.

The people at econsultancy.com found 3 levels of approach:

Level 1 = a more prominent link to the privacy policy and improved information within the policy itself
Level 2 = user can selectively opt in/out of groups of cookies
Level 3 = active opt-in (the only one strictly compliant)

Next Captchas will be about recognizing objects in images

Speaking about privacy and data protection, it looks like the computers are catching up with humans. Using machine learning, a San Francisco-based company is working on a software with the goal of developing a sense of vision for the machines. By ‘sense of vision’ they mean:

– recognize letters wherever they appear,
– identify objects in photographs,
– and generally do all the stuff any kid with healthy vision can do

The first progress report says their software solves CAPTCHAs, on average 90% of the time.

Captcha’s original creator, Luis von Ahn, says: ‘An advance like this isn’t the end of CAPTCHA, although in time, CAPTCHA-breaking is likely to evolve to the point where companies will need to rely on another spambot gatekeeper. The next step is asking people to identify objects in photographs’. (http://www.popsci.com/article/technology/software-learns-crack-captchas)

Apparently, the only thing where humans are better than computers remains identifying objects in pictures. Oh, wait: Google+ can now identify random, untagged objects in your photos, so you can search for “cat” and find photos of your cat purely by object recognition alone

UML: Generalization vs clasification

An easy one for the finish: be careful when you use a ‘is a’ relationship!
– classification – is an instance of
– generalisation – is a subtype of
Generalisation is transitive, whereas classification not.
Example inspired from UML Distilled

PS: iPad Air is awesome 🙂
ipad Air