Understanding the HTTP POST request / response process - http

I've been trying to thoroughly understand the HTTP POST request / response process and although there are a lot of resources on google, none plainly give me the answer I'm after.
Example scenario:
I have a search form, I enter some query and make the request. I then get redirected to the search result page.
Could someone explain this process; in particular, I'm most interested in the redirection.
This is what I think is going on:
POST request containing query
|
v
Server receives request.
|
V
Server sends back response containing the page that the client should subsequently request.
|
V
Client receives response and requests page indicated in the response.
|
V
Server receives request and sends back requested page.
|
V
Client renders page.

That's exactly what happens. See Post/Redirect/Get on Wikipedia for an explanation of this pattern.
The client performs the POST request:
Client -> Server: POST / HTTP/1.1 (+payload)
Server -> Client: HTTP/1.1 302 See other (+location header +payload)
Now the client sees the 302 and performs an additional request to the resource identified by the location header:
Client -> Server: GET $location HTTP/1.1
Server -> Client: HTTP/1.1 200 OK (+payload)
You can use Fiddler or Charles for inspecting HTTP traffic.

Related

IIS - Accept a HTTP GET, then wait, trigger POST to API, wait for POST 200 OK reply with REDIRECT to original HTTP GET

I'd like to know if how I might achieve the following in IIS.
User clicks button in email with HTTP GET link.
Request is sent to IIS
IIS sends POST to MS Flow HTTP endpoint to trigger flow.
Flow finishes and sends back 200 OK
Original HTTP GET receives reply with REDIRECT to different URL (HTTP GET)
Essentially I need the first HTTP GET to tigger my flow, wait for it to complete then redirect the user to another webpage if successful.
Thanks !

Sending HTTP requests with AT commands on the ESP32

I'm trying to send AT commands to my ESP32* module and am not getting any response back.
I need to perform a POST request that contains the username and password and other requests later on. I am not structuring these correctly and there is not a lot of good documentation for this.
NOTE: because I cannot share my complete url due to privacy I will use something with the same length ********connected.com:443
Send login information to ********connected.com/login (POST) body{"email":"myemail.ca", "password":"xxxxx"}
once I get the token I will make other requests.
get information regarding user profile ********connected.com/getRoutine ( GET) query param username="bob"
I really want to understand how these requests are structured so if someone can explain it to me elegantly that would be great!
Here is what I have tried..
AT
OK
AT+CIPSTART="TCP","********connected.com",443
CONNECT
OK
AT+CIPSEND=48
> "GET ********connected.com:443/getUsersOnline"
OK
>
Recv 48 bytes
SEND OK
CLOSED
REQUESTED POST REQUEST I HAVE USED
AT+CIPSEND=177 “POST \r Host: ********connected.com\r\n Accept: application/json\r\n Content-Length: 224r\n Content-Type: application/jsonr\n { "email":"myemail.com", "password":"myPassword" } “
There are actually several parts of your system that might be the cause of the malfunctioning:
The AT commands sent (it is not clear how you check for server responses. Responses could proviede clues about what's wrong)
The server side app seems to be a custom implementation that might have bugs as well
The POST request might be malformed
Let's focus on the last one.
POST are described in RFC 7231, and though it is an obscure description without examples, it makes one thing clear: there's not actually a well defined standard... because it is strictly application dependant!
I also quote the relevant part of this brilliant answer to an old SO question:
When receiving a POST request, you should always expect a "payload", or, in HTTP terms: a message body. The message body in itself is pretty useless, as there is no standard.
For this reason, all we can do is to build a POST request as accurate as possible and then to debug the system as a whole thing making sure that the request matches what expected by the server side application.
In order to do this, let's check another external link I found: POST request examples. We found this request:
POST /test HTTP/1.1
Host: foo.example
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
field1=value1&field2=value2
Now let's compare this example to your request:
POST
Host: ********connected.com
Accept: application/json
Content-Length: 224
Content-Type: application/jsonr
{ "email":"myemail.com", "password":"myPassword" }
You are saying to the server that you want to pass a resource to an unspecified application (no path), and that this resource is 224 bytes long (wrong! Message body is shorter).
For these reasons, at least these things can be improved:
POST /path/invic18app.php HTTP/1.1 //The path to the application and HTTP version are missing
Content-Length: 48 //This must be the length of the message body, without the header. I also would write it as the last option, just before message body
Write TWO empty lines before message body, otherwise the server will interpret it as further (wrong) options
I hope this helps you, even if it is a tentative answer (I cannot try this request myself). But, again, you definitely need to sniff packets a TCP levels, in order to avoid debugging the server if you are not sure that data is actually received! If you cannot install Wireshark, also tcpdump will be ok.

Is it suitable to use 200 HTTP status code for a forbidden web page?

What is the difference when we use 200 response status code for a forbidden page with an error message saying 'Access Denied' instead of using 403 response status code?
Are there any security implications?
The HTTP Response codes convey information about how the server has processed your request. So, if the server responds with 200, it means: "OK, I have received your request and processed it successfully". If it returns 403, it would mean: "I received your request successfully, but you don't have access to this resource".
However, technically they are both returned in the same format, in the same way in the response HTTP header like this:
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
The difference is in the meaning. And the meanings are defined in the standard.
So, when you are responding with code 200, you are telling the client that it is all good and dandy. If you are responding to client with 403, you are saying that the client doesn't have permission to this resource. Remember, there can be different clients: web browsers, crawlers, ajax requests from javascript, etc.
So, if you are sending a login form with 200 code:
Users who are using a web browser would understand that they need to login.
Google crawler will index your members/quality-content URL with the login form and will not understand that actually, the original content is different and it should not index this page with the login form.
Javascript with ajax callback will run success callback, when it should be running error callback function.
So, basically, make us all a favour and follow the standards! :)
Answering your second question, no it does not make your application any less secure.
The reason for this decision might be that error message was not visiable using Internet explorer like described here: How do I suppress "friendly error messages" in Internet Explorer?
Actually the correct way is to use the right HTTP error code and make the error message longer than 512 bytes as described here:
https://support.microsoft.com/en-us/kb/294807
Response status codes are intended to help the client to understand the result of the request. Whenever possible, you should use the proper status codes.
The semantics of the status codes are defined in the RFC 7231, the current reference for HTTP/1.1.
While the 200 status code indicates that the request has succeeded, the 403 status code indicates that the server understood the request but refuses to authorize it:
6.3.1. 200 OK
The 200 (OK) status code indicates that the request has succeeded. The payload sent in a 200 response depends on the request method. [...]
6.5.3. 403 Forbidden
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any). [...]
Returning 200 will work, for sure. But why would you return 200 if you can return a much more meaningful status code? If is there any good reason, this should be added to your question.

Difference between GET and POST in an HTTP response (not request)

I already know the difference between POST and GET, but does the HTTP response changes when I make a request like:
GET / HTTP/1.1
Host: www.engadget.com
or
POST / HTTP/1.1
Host: www.engadget.com
I'm doing a basic web server (Can't use php or any server-side language) for an assignment so I need to know if the response changes or is basically the same.
It's up to the recipient of the request (server) to send back a response. The client can pass preferences to influence the response in the header (content type etc), but ultimately the response is determined by the server.

ASP.NET form losing POST values in a proxy environment

I have an ASP.NET form (a login page), when I POST the values to the server, the request passes through a proxy and the POST pareameters end up getting lost and ultimately the page just refreshes as there are no POST parameters.
The thing is that this is not a constant issue as sometimes you can log in fine and generally if you clear your browser temp files it then works ok.
I ran Fiddler to check what's going on and basically I'm getting:
A regular POST request containing session id, POST data etc. The response (HTTP 407) contains a Proxy-Authenticate: Negotiate and Proxy-Support: Session-Based-Authentication header
The next request to the server contains a Proxy-Authorization: Negotiate header containing a long string (base64 i think). This request does NOT contain the POST values. The response is another 407 and actually now that i look at it Fiddler displays 'HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )' as the header.
Then there's a third request that contains the Proxy-Authorization header and returns 200 OK, but of course the POST values weren't sent
Subsequent requests result in a HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) response followed by a second successful but empty request.
The client wont let me bypass the proxy as it's intermittent and all other pages in the application (that include plenty of web forms) work fine.
Any ideas on what I can try?

Resources