I was wondering what kind of metadata is important to save on incoming http request.
Beside headers, Cookies and Session ID, is there more metadata that is important to log?
I was wondering what kind of metadata is important to save on incoming HTTP request.
It depends on your needs, but you always can log the HTTP method, the URL and the headers (it includes Cookie and Authorization headers).
You also may want to log the IP address of the caller and the request date/time.
Related
I need to check response header of HTTP request using OkHTTP library. before loading data I need to check it's last update time. The problem in that that the response body is about 2 MB so I need to get only Last-Modified header. Is it possible to load only response header without response body to increase the speed of the program`s RESTful actions?
You can send a HTTP HEAD request which only retrieves the headers. You only need to check if your server application supports HEAD requests.
The HEAD method is identical to GET except that the server MUST NOT
return a message-body in the response. The metainformation contained
in the HTTP headers in response to a HEAD request SHOULD be identical
to the information sent in response to a GET request. This method can
be used for obtaining metainformation about the entity implied by the
request without transferring the entity-body itself. This method is
often used for testing hypertext links for validity, accessibility,
and recent modification. (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html)
Example for OkHttp:
String url = ...
Request request = new Request.Builder().url(url).head().build();
The response body is streamed, so you can make the regular request, read the headers, and then decide whether or not to consume the body. If you don’t want the body, you can close() it without much waste.
There is a slight cost to the server to serve a response that might be abandoned. But the overall cost will be lower than making a HEAD and then a GET request unless you expect abandon a significant fraction (say > 90%) of requests.
Consider I'm having >5KB size cookies, Which is a confidential data generating on client side which no one else can see that data.
So I'm trying to restrict that data to send with request. Is there any way to tell that do not send this cookies with request ??
As per cookies spec
When it sends a request to an origin server, the user agent includes a Cookie request header if it has stored cookies that are applicable to the request.
What is giving hope is in spec is stored cookies that are applicable to the request.
How to make it un- applicable to the request ??
So is this impossible ? Is there any way to configure web.xml in such a way like we set http-only?
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
The limit for cookies per domain is about 4KB, which you already exceed. Therefore, you ought to put all the confidential information into a session table instead of a cookie.
The HTTP specification states, that all cookie data need to be send with each request, because probably the server needs it. If you do not want that, then do not store data inside cookies, but use a different method of storing this sensitive information.
There is as well a good chance, that this sensitive information ends up in the access logs of the target server, another reason to not use cookies for that case.
Cookie is nothing but a small piece of information most of the times a string in the request header send by the client to server. If i add one more string to the request header at server in java like conn.addRequestProperty("iPlanetDirectoryPro", token); then is there any difference between the two? Can the second one be also considered as a cookie.
You'll want to read the HTTP specification (message headers) and the HTTP State Management specification.
The HTTP specification provides message headers
Each header field consists of a name followed by a colon (":") and the
field value.
For example, you could have
Content-Length:42
This is a header.
The HTTP State Management specification defines the Cookie and Set-Cookie headers. Those are two specific headers that are used for achieving state in HTTP request and response cycles (HTTP is a stateless protocol).
So
conn.addRequestProperty("iPlanetDirectoryPro", token); then is there
any difference between the two?
Yes, there is a big difference. The above is a simple request header. It has nothing to do with a Cookie.
I'm using java.net.HttpURLConnection.
I first write the body of the post request to the OutputStream associated with the URLConnection object.
After I have done that, I close the OutputStream and then call getInputStream() or getResponseCode() or getHeaderFields(). That's when I find out if the provided credentials were considered valid or not valid.
This is problematic, because I don't want to make the same post request again (and have to re-upload its contents, which could include large files) in the event that the user credentials were rejected for some reason.
Since an exception is thrown if there is an attempt to call getOutputStream() after getResponseCode() or getHeaderFields() have been called, how can I ensure that the user credentials were accepted before attempting to upload the data?
Is there a way around this or is it just the way the server is configured?
The short answer is: You can't do that.
Basic auth is stateless. When you're doing a POST/PUT the user credentials are sent as headers for that HTTP request. They are not processed until the entire operation is complete (i.e. after you've sent the data payload).
In order to do what you're talking about you'd need to write a web service that managed login and file/data uploading separately through session management, allowing you to first authenticate (returning a session token of some sort) then send the data via a separate HTTP request.
Edit to add: In reality, you could hack your way around this by simply doing a GET to something that also requires auth. If it succeeds, you know the POST will also succeed baring the credentials being invalidated server side between the two requests. I would not advise this, but it would work.
My initial code generated tokens for the requests that could alter state of my database, like CRUD operations. The token was generated for each request. Sent to client side in JSON-format along with other data and I expected this token to be returned with the request and changed it after completion of the request. But, as I implemented it to only parts of my code (CRUD operations), I was told to redo it and make it web-app wide. I think the best way to do this is with filters.
My problem is, how do I make the client send "the token" for each request? Do I set it in cookies? What are my options? Please advice.
best way is , all links should be GET request, and within get requests no modification should be made to application state. So for GET requests there will be no need for CSRF tokens.
For POST request s which make modifications in application state you have to generate, csrf hidden fields in your forms and validate the token in server during form submit.