10.7 Expired (Expires)
The date / time value in the expired entity header domain specifies the time of the entity expired. This provides a means of failing information failure for the information provider. When exceeds this period, the application should not be cached on this entity. Expired does not mean that the original resource will change or stop after this period. In practical applications, the information provider knows or predicts the exact date of the change in the expiration of the expiration domain. This format is used by absolute date (Section 3.2).
Expires = "expiRes": "http-date
E.g:
Expires: THU, 01 DEC 1994 16:00:00 GMT
If the given date is higher than the date (or the same) in the date title, the recipient should not cache additional entities. If the resource is dynamically generated, the entity of the resource should be plus an appropriate expiration time value.
The expiration domain does not force the user agent to refresh or reload resources, it is only used for cache mechanisms. This mechanism checks the expiration status of the resource when a new request is issued for an initialized resource.
User agent usually has a history, such as the "Back" button and a list of history. This type of mechanism can be used to reset the entity information that has been obtained before a certain dialogue (SESSION). In the default, the expiration domain does not use the historical mechanism. Unless the user specifies the expiration refresh of the history file when configuring the user agent, as long as the entity is still saved, the historical mechanism can display it, whether or not the entity has expired.
Note: The application should be compatible with the implementation of the expiration title illegal or error, such as the date format of the 0 value or illegal, the application should be considered "Expires Immedierately". Although these values do not meet HTTP / 1.0, it is necessary for a robust app.
Berners-Lee, et al information [Page 41]
10.8 from (from)
From requesting the title domain, if given, it should include an Internet E-mail address of the human user using this user agent. This address should be identified by the system, just like the email definition in RFC822 [7] (already updated to RFC1123 [6]).
From = "from": "Mailbox
E.g:
From: webmaster@w3.org
The title domain may be used as a login purpose to determine if a request for a resource is legal. It does not apply for unsafe access protection. The interpretation of this domain is that the request has been completed in the way the requestor specified, and the requestor will be responsible for this manner. In special cases, the robot agent should also include this title domain. In this domain, it is, so that it can be contacted with this person when any problems occur in the receiving end.
The Internet E-MAIL address in this domain can be separated from the Internet host that processes the request. For example, when requesting through a proxy (Proxy), the original transmission address should be used.
Note: The client should not send a FROM title domain when they are not approved by the user, as doing so may generate user privacy and website security issues. It is highly recommended to provide a means to disable (disable), enable (enable), and modify the value of this domain. 10.9 When you change (if-modified-since)
If the IF-Modified-Since requests the title field and the GET method to process the following case: If the resource has not changed any changes as the date specified in this domain. At this time, the server will not submit the copy of the resource, that is, the response does not bring any entity main body, just 304 status code (not modified).
If-modified-since = "if-modified-since": "http-date
E.g:
IF-Modified-Since: SAT, 29 OCT 1994 19:43:31 GMT
Berners-Lee, et al information [Page 42]
The Condition GET method can request the server to download the specified resource that will change after the specified date in the IF-Modified-Since Title domain, that is, if the resource has not changed, it will not pass. Its algorithm is as follows:
a) If the requested response status is not 200 (success) code or it is not legal in the IF-Modified-Since it passed, it will respond in normal GET. If the date is too late than the current time of the server, it is illegal time.
b) If the resource changes after the if-modified-since date, the response is also the same as ordinary GET.
c) If the resource has not changed after the if-modified-since date, the server will respond to 304 (not modified). Note: This date should be legal.
The purpose of this is to effectively update the cached information in order to minimize the cost.
10.10 Recent change (Last-Modified)
The Last-Modified entity title domain represents the resource set by the sender recently modified the date and time. The exact definition of this domain is how the recipient explains why: if the recipient has the copy of this resource, this copy is older than the Last-Modified domain, the copy is expired.
Last-Modified = "Last-Modified": "http-date
E.g:
Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT
The precise meaning of the title domain depends on the execution method of the sender and the natural state of the original resource. For documents, it may be its Last-Modified time in the file system. For entities that contain multiple components, it may be the latest Last-Modify time in the component. For the database gateway, it may be a recorded Last-Update timestamp. For the virtual object, it may be the nearest change time of the internal state.
The original server should not send a last-modified date that is time later than the server message, because the message will cause the server to update the domain value with the original date in a certain time in the future.
Berners-Lee, et al information [Page 43]
10.11 Location (Location)
The Location response Title domain defines the location of the resource specified by the request URI. For 3XX (redirect), the location field must help the server find the corresponding URL to achieve redirection of resources. Only absolute URL is allowed. Location = "location": "Absoluteuri
E.g:
Location: http://www.w3.org/hypertext/www/newlocation.html
10.12 Note (PRAGMA)
The PRAMA normal title area includes some special instructions that may be useful for any recipient in the request / response chain. From the perspective of the protocol, all annotations indicate some specific optional behaviors. In fact, some systems may require behavior to consistent with the indication.
Pragma = "Pragma" ":" 1 # pragma-directive
Pragma-Directive = "no-cache" | Extension-Pragma
Extension-pragma = token ["=" word]
When "no-cache" appears in the request message, the application should push this request to the original server, even if it has been cached in the last request. This will ensure that the client can receive the most authoritative response. It is also used to force the copy to force the copy to enforce the copy when copying or expires in the client.
Regardless of the annotation of the annotation (PROXY) and Gateway applications, it must be able to cross these applications because this information may be useful for other recipients on the request / response chain. In fact, if the annotation is not related to a recipient, it should be ignored by the receiver.
10.13 Submit (Referer)
The submission request title domain is due to the considering of server-side interests, allowing clients to indicate the source of the link, that is, the request URI of the point to the resource address is obtained. In this way, the server will generate a backup link (BACK-LINKS) list for maintenance of popular resources, login, and cache optimization.
Berners-Lee, et al information [Page 44]
Referer = "Referer": "(Absoluteuri | Relativeuri)
example:
Referer: http://www.w3.org/hypertext/datasources/overview.html
If only part of the URI is given, you should refer to the request URI to explain it. The URI cannot include a section (Fragment).
Note: Because the original code of the link may expose some privacy information, it is strongly recommended by the user to determine whether to send the submission. For example, a browser client has an option to be used out to browse, enable or disable the sender or form information.
10.14 Server (Server)
The server response the title domain contains software information used by the original server to process the request. This domain can include multiple product identifiers (Sections 3.7) and annotations to identify servers and important subproducts. According to habits, the product identity will be arranged in an important order of its application.
Server = "server": "1 * (Product | Comment) For example:
Server: CERN / 3.0 LIBWW / 2.17
If you respond to push through a proxy, the agent application should not add its own data to the product list.
Note: Some versions of the specified server software have a revelation because these versions of the software exists, which will make the server more vulnerable. Advocating server software When implementing, turn this domain into options that can be configured.
Berners-Lee, et al information [Page 45]
Note: Some servers do not follow the grammatical constraints of the server domain product identity.
10.15 User Agent (User-Agent)
The user agent request the title domain contains information of the user's original request, which can be used for statistical purposes. Automatically identify the user agent to avoid the limitations of special user agents to avoid the limitations of special user agents. Although there is no provision, the user agent should include this domain in the request. This domain can include multiple product identifiers (Sections 3.7) and annotations to identify the agent and its important subproducts. According to habits, the product identification will be arranged in the order of the importance of the application.
User-agent = "user-agent": "1 * (Product | Comment)
E.g:
User-agent: Cern-linemode / 2.15 lowww / 2.17b3
Note: Existing agent applications returns their product information to the user agency domain, which is not worth promoting, because this will make the machine to confuse when this information is explained.
Note: Some clients are now not complying with the syntax constraints of the product identity in the user agency domain.
10.16 WWW - Www-Authenticate
WWW-Authorized response The title field must be included in the 401 (unauthorized) response message. This domain value consists of more than one Challenge, which can be used to indicate the authorization scheme and parameters of the request URI.
WWW-authenticate = "www-automate": "1 # challenge
HTTP Access Authorization Processing is described in Section 11. User Agents Pay special attention to see if it contains more than more than one WWW-authorized title domain, because of the challenge content May include a list of authorized parameters separated by commas.
Berners-Lee, et al information [Page 46]
11. Access authentication (Access Authentication)
HTTP provides a simple questionenge-response authentication mechanism that can be used to identify them through the authorization information provided by the client. The authorization scheme is identified with scalable, case sensitive symbols, followed by the certificate to demonstrate the required 'attribute-value' pairs required.
Auth-scheme = token
Auth-param = token "=" quoted-string
The original server responds to the message with a 401 (unauthorized) to question the authorization of the user agent. The response must include a WWW-authorized header domain, and the WWW-Authorization Title domain includes more than one parameter for requesting resource authentication.
Challenge = auth-scheme 1 * sp reason * ("," auth-param) realm = "realm" "=" Realm-Value
Realm-value = quoted-string
Any authorization program involving parameters processing has a Realm property (case sensitive). A Realm value (also case sensitive) used in combination with standard URL (relative to access server root) is used to define the protection area. Realm makes the protected resources on the server in a special protection partition, which have their respective authorization and / or authorized databases. The RELM value is a string, usually allocated by the original server, and may have some additional syntax processing issues for the authorization scheme.
Typically, the user agent may (or may not) expect the server to authorize it when receiving a 401 (unauthorized) response. If you want to be authorized, the user agent will join the Authorization request header (Authorization request header) in the request. The authorization domain value is composed of trust certificates, including authorization information on the user agent requesting resources.
Credentials = Basic-Credentials
| (Auth-scheme # auth-param)
The area that can be accessed by the user agent through the trust mode is determined by the protection area. If the earlier request has been certified, other requests can be accessed by the same trust within the time interval specified by the authorization scheme, parameters, and / or user selection, etc..
Berners-Lee, et al information [Page 47]
Unless otherwise specified by the authorization, the range of a single protection area cannot be extended to the server.
If the server does not want to accept trust by request, it should return 403 (forbidden) response.
Access authorization of the HTTP protocol is not limited to this simple challenge response mechanism, and other methods, such as transport grade encryption or message packaging, and by additional title domains. However, these methods are not discussed in this document.
The agent must completely transparently handle the user authorization, that is, they must push the WWW-authorization and authorization title forward without any changes, or caching the response to the authorization. HTTP / 1.0 does not provide a method of authorizing the client through a proxy method.
11.1 Basic Authentication Scheme
The user agent must authorize itself through the user ID (User-ID) and password for each domain, which is the working mode of the basic authorization scheme. The REALM value should be considered as an opaque string that will be used to compare with other Realm values of the server. Only the user identifier and password pass through the authentication of the protected resource, the server will authorize the request. Authorized parameters have no options.
When receiving unauthenticated resource requests for the protected area, the server should respond to a challenge, as follows:
WWW-Authenticate: Basic Realm = "WallyWorld"
"WallyWorld" is a string assigned by the server for identifying the protected resources specified by the request URI. To receive authorization, the client needs to send a user ID and password in a certificate based on 64-bit (Base64 [5]), and the inner colon ':' is separated.
Basic-credentials = "Basic" sp Basic-cookie
Basic-cookie = Except Not Limited to 76 Char / Line> Berners-Lee, et al information [Page 48] Userid-password = [token] ":" * text If the user agent wants to send the user identifies "ALADDIN" and password "Open SESAME", the following title domain is followed: Authorization: Basic Qwxhzgrpbjpvcgvuihnlc2ftzq == The BASIC Authorization Scheme is a non-secure method for filtering the unauthorized access of the HTTP server resource. It is based on the assumption that the client and server connection is secure, why is it assumed, because in an actual open network, use the Basic authorization plan often there are many unsafe places. Nevertheless, the client still needs to implement this scheme to communicate with the server adopted by this scheme. 12. Safety considerations (Security Considance) The description of this section is related to the following roles: information applies developers, information providers, and HTTP / 1.0 are subject to security restrictions. This section is only to discuss security issues and put forward recommendations for reducing hidden dangers, but does not provide the final solution to the problem. 12.1 Customer Authentication Of Clients As described in Section 11.1, the Basic Authentication scheme is not a secure user authorization scheme, or it cannot be used to prevent the physical main source code from being transmitted in a physical network in a text. HTTP / 1.0 does not oppose other authorization methods and encryption mechanisms in front of the current increasingly prominent security issues. 12.2 Safety Method (SAFE Methods) Client software developers should note that client software represents users to interact with other aspects on the Internet, and should pay attention to avoiding the user knows the specific actions therefrom, these actions may expose information on interactive parties. In particular, the GET and HEAD methods should be considered secure, and there is nothing different from the re-obtaining data. This allows the user agent to adopt other methods, such as POST, in some case, may have such a case, that is, the request contains unsafe behavior. Berners-Lee, et al information [Page 49] Typically, after executing the GET request, the result of its results remain on the server; in fact, some dynamic resources require this characteristic. The important difference here is that the user does not request these by-products, and this kind of request should not be explained. 12.3 Disadvantages of Server Log Information (Abuse of Server Log Information) The server provides space to save personal data related to the user request, such as reading methods or the subject of interest, and the like. These storage information is obviously protected by certain national laws, so the processing of such data should be careful. One party that provides data with the HTTP protocol should be responsible for ensuring that this information will not be spread out before the partition is permitted. 12.4 Sensitive Information Transport (Transfer of Sensitive Information) Like other protocols, the HTTP protocol cannot adjust the content of the transmitted data, nor does it exist in an unfinished method, and the sensitivity of the information can be speculated by a context information segment of a given request. Thus, the application should provide more control for this information as much as possible like the information provider. Here, there are three heading domains to be mentioned: Server, Referr and from (from). Some of the versions of the specified server software have a revelation because these versions of the software exists, which will make the server more vulnerable. Advocating the server software When implementing, turn the Server title domain into options that can be configured. The Referer Title domain allows the reading pattern to be exposed and the reverse link can be exported. Although this domain is useful, if the user information contained in this domain is not separated, its effect is likely to be abused. In addition, even if the user information is cleared in this domain, the URI of its private file can still be speculated from other information in this domain, which may be that the information publisher wants to see. From the title domain may include information related to user private privacy and site security, so that users should be allowed to use some settings, such as disable, allowing (enable), and modifications, and modifications should be allowed to use before sending data. MODIFY, configure this domain information. The user should be able to set the contents of this domain according to their choice or using the default configuration provided by the application. We recommend, but do not require: provide users with convenient interfaces to allow (disable) or disabled information to send the FROM domain or the Referer domain. Berners-Lee, et al information [Page 50]
