Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Hidden Gems in HTTP (Atlanta PHP November 2...

Ben Ramsey
PRO
November 05, 2009
Programming
0
130

The Hidden Gems in HTTP (Atlanta PHP November 2009)

200, 404, 302. Is it a lock combination? A phone number? No, they’re HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It’s time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.

This is an expanded version of a talk Ben gave at CodeWorks 2009, so be sure to come early. We’ll be starting promptly at 7:00 PM so we don’t run out of time.

Ben Ramsey
PRO

November 05, 2009
Tweet

More Decks by Ben Ramsey

See All by Ben Ramsey
Let's Build a Composer Package (Cascadia PHP 2024)
ramsey
PRO
0
14
Internationalization and Localization With PHP (Cascadia PHP 2024)
ramsey
PRO
0
12
Saving Open Source (php[tek] 2024)
ramsey
PRO
0
8
Let's Build a Composer Package (php[tek] 2024)
ramsey
PRO
0
120
Internationalization & Localization With PHP (Longhorn PHP 2023)
ramsey
PRO
0
230
Let's Build a Composer Package (Longhorn PHP 2023)
ramsey
PRO
0
240
Put a UUID On It! (php[tek] 2023)
ramsey
PRO
0
180
Cool Tools for PHP Development (php[tek] 2023)
ramsey
PRO
0
230
Cool Tools for PHP Development (Nashville PHP April 2023)
ramsey
PRO
0
27

Other Decks in Programming

See All in Programming
ヤプリ新卒SREの オンボーディング
masaki12
0
130
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340
Arm移行タイムアタック
qnighy
0
330
ペアーズにおけるAmazon Bedrockを⽤いた障害対応⽀援 ⽣成AIツールの導⼊事例 @ 20241115配信AWSウェビナー登壇
fukubaka0825
6
2k
watsonx.ai Dojo #4 生成AIを使ったアプリ開発、応用編
oniak3ibm
PRO
1
140
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
Macとオーディオ再生 2024/11/02
yusukeito
0
370
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
230
CSC509 Lecture 11
javiergs
PRO
0
180
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
480
Click-free releases & the making of a CLI app
oheyadam
2
120

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
The Cult of Friendly URLs
andyhume
78
6k
We Have a Design System, Now What?
morganepeng
50
7.2k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
How GitHub (no longer) Works
holman
310
140k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Typedesign – Prime Four
hannesfritz
40
2.4k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Building Adaptive Systems
keathley
38
2.3k

Transcript

  1. Hidden Gems in HTTP Ben Ramsey ▪ Atlanta PHP ▪

    5 Nov 2009

  2. Why HTTP?

  3. Because you are a Web developer.

  4. HTTP is the Web.

  5. That’s all I have to say about that.

  6. Some properties of HTTP…

  7. ▪ A client-server architecture ▪ Atomic ▪ Cacheable ▪ A

    uniform interface ▪ Layered ▪ Code on demand

  8. Now, what does that sound like?

  9. REST!

  10. And, that’s all I have to say about that, too.

  11. Our focus today…

  12. ▪ Semantic HTTP ▪ Methods you’ve never used ▪ Status

    codes you didn’t know existed ▪ Working with HTTP in PHP

  13. Semantics are important.

  14. 1 User requests page above their authorization level.

  15. 2 User is redirected to a login page where they

    are prompted to increase their authorization level.

  16. GET /protected/content/1234 HTTP/1.1 Host: example.org HTTP/1.1 302 Found Date: Tue,

    05 Nov 2009 17:34:24 GMT Server: Apache/2.2.14 (Unix) PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: /login Content-Length: 0 Content-Type: text/html; charset=utf-8

  17. The resource requested is found at another location?

  18. No, no, no. That’s not what we

  19. The semantics are all wrong.

  20. Methods you’ve never used…

  21. Well, not really never.

  22. ▪ You know GET ▪ Retrieval of information ▪ Transfers

    a representation of a resource from the server to the client ▪ Safe & idempotent GET

  23. GET /user/ramsey HTTP/1.1 Host: atom.example.org HTTP/1.1 200 OK Date: Tue,

    22 Sep 2009 17:28:14 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 594 Content-Type: application/atom+xml;type=entry <?xml version="1.0" encoding="utf-8"?> <entry xmlns="http://www.w3.org/2005/Atom" xml:base="http://atom.example.org/"> <title>ramsey</title> ... </entry>

  24. He just thinks he’s funny.

  25. Stop laughing. You’re just encouraging him.

  26. POST ▪ You know POST ▪ The body content should

    be accepted as a new subordinate of the resource ▪ Append, annotate, paste after ▪ Not safe or idempotent

  27. POST /user HTTP/1.1 Host: atom.example.org Content-Type: application/atom+xml;type=entry Content-Length: 474 <?xml

    version="1.0" encoding="utf-8"?> <entry xmlns="http://www.w3.org/2005/Atom" xml:base="http://atom.example.org/"> <title>ramsey</title> ... </entry> HTTP/1.1 201 Created Date: Tue, 22 Sep 2009 17:39:06 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: http://atom.example.org/user/ramsey Content-Length: 133 Content-Type: text/html; charset=utf-8 <div> The content was created at the location <a href="/user/ramsey"> http://atom.example.org/user/ramsey </a> </div>

  28. HEAD ▪ Identical to GET, except… ▪ Returns only the

    headers, not the body ▪ Useful for getting details about a resource representation before retrieving the full representation ▪ Safe & idempotent

  29. HEAD /content/1234.mp4 HTTP/1.1 Host: atom.example.org HTTP/1.1 200 OK Date: Tue,

    22 Sep 2009 17:28:14 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 12334753 Content-Type: application/mp4

  30. PUT ▪ Opposite of GET ▪ Storage of information ▪

    Transfers a representation of a resource from the client to the server ▪ Not safe ▪ Idempotent

  31. PUT /user/ramsey/ HTTP/1.1 Host: atom.example.org Content-Type: application/atom+xml;type=entry Content-Length: 594 <?xml

    version="1.0" encoding="utf-8"?> <entry xmlns="http://www.w3.org/2005/Atom" xml:base="http://atom.example.org/"> <title>ramsey</title> ... </entry> HTTP/1.1 200 OK Date: Tue, 22 Sep 2009 17:47:27 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 594 Content-Type: application/atom+xml;type=entry <?xml version="1.0" encoding="utf-8"?> <entry xmlns="http://www.w3.org/2005/Atom" xml:base="http://atom.example.org/"> <title>ramsey</title> ... </entry>

  32. DELETE ▪ Requests that the resource identified be removed from

    public access ▪ Not safe ▪ Idempotent

  33. DELETE /content/1234/ HTTP/1.1 Host: example.org HTTP/1.1 204 No Content Date:

    Tue, 22 Sep 2009 18:06:37 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 0 Content-Type: text/html; charset=utf-8

  34. What the hell are safe & idempotent methods?

  35. Safe methods ▪ GET & HEAD should not take action

    other than retrieval ▪ These are considered safe ▪ Allows agents to represent POST, PUT, & DELETE in a special way

  36. Idempotence ▪ Side-effects of N > 0 identical requests is

    the same as for a single request ▪ GET, HEAD, PUT and DELETE share this property ▪ OPTIONS and TRACE are inherently idempotent

  37. Status codes you didn’t know existed

  38. ▪ Informational (1xx) ▪ Successful (2xx) ▪ Redirection (3xx) ▪

    Client error (4xx) ▪ Server error (5xx)

  39. The look-before- you-leap request (LBYL)

  40. 1.Client sends a request without a body and includes the

    Expect: 100-continue header and all other headers 2.Server determines whether it will accept the request and responds with 100 Continue (or a 4xx code on error) 3.Client sends the request again with the body and without the Expect header

  41. 1 POST /content/videos HTTP/1.1 Host: example.org Content-Type: video/mp4 Content-Length: 115910000

    Authorization: Basic bWFkZTp5b3VfbG9vaw== Expect: 100-continue

  42. 2 HTTP/1.1 413 Request Entity Too Large Date: Thu, 21

    May 2009 23:05:15 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 0 Connection: close Content-Type: text/html Failure state

  43. 2 HTTP/1.1 100 Continue Date: Thu, 21 May 2009 23:05:15

    GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 0 Content-Type: text/html Success state

  44. 3 POST /content/videos HTTP/1.1 Host: example.org Content-Type: video/mp4 Content-Length: 115910000

    Authorization: Basic bWFkZTp5b3VfbG9vaw== {binary video data}

  45. 4 HTTP/1.1 201 Created Date: Thu, 21 May 2009 23:05:34

    GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 119 Content-Type: text/html Location: http://example.org/content/videos/1234 <html><body><p>Video uploaded! Go <a href="http://example.org/content/videos/ 1234">here</a> to see it.</p></body></html>

  46. ▪ There are some problems with supporting 100 Continue from

    PHP through Apache ▪ One suggestion is to use X-Expect instead of Expect ▪ But there are still odd problems occurring that I can’t explain Caveat

  47. The created at another location response

  48. 1 POST /content/videos HTTP/1.1 Host: example.org Content-Type: video/mp4 Content-Length: 115910000

    Authorization: Basic bWFkZTp5b3VfbG9vaw== {binary video data}

  49. 2 HTTP/1.x 201 Created Date: Thu, 21 May 2009 23:05:34

    GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 120 Content-Type: text/html Location: http://example.org/content/videos/1234 <html><body><p>Video uploaded! Go <a href="http://example.org/content/videos/ 1234">here</a> to see it.</p></body></html>

  50. The “it’s not you it’s me” response

  51. i.e. I’ve accepted it but might have to do more

    processing

  52. 2 HTTP/1.x 202 Accepted Date: Thu, 21 May 2009 23:05:34

    GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 137 Content-Type: text/html Location: http://example.org/content/videos/1234/status <html><body><p>Video processing! Check <a href="http://example.org/content/videos/1234/ status">here</a> for the status.</p></body></ html>

  53. The “I have nothing to say to you” response…

  54. …but you were still successful

  55. 1 DELETE /content/videos/1234 HTTP/1.1 Host: example.org Authorization: Basic bWFkZTp5b3VfbG9vaw==

  56. 2 HTTP/1.x 204 No Content Date: Thu, 21 May 2009

    23:28:34 GMT

  57. The ranged request

  58. ▪ Used when requests are made for ranges of bytes

    from a resource ▪ Determine whether a server supports range requests by checking for the Accept-Ranges header with HEAD

  59. 1 HEAD /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1 Host: farm3.static.flickr.com

  60. 2 HTTP/1.0 200 OK Date: Mon, 05 May 2008 00:33:14

    GMT Server: Apache/2.0.52 (Red Hat) Accept-Ranges: bytes Content-Length: 3980 Content-Type: image/jpeg

  61. 3 GET /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1 Host: farm3.static.flickr.com Range: bytes=0-999

  62. 4 HTTP/1.0 206 Partial Content Date: Mon, 05 May 2008

    00:36:57 GMT Server: Apache/2.0.52 (Red Hat) Accept-Ranges: bytes Content-Length: 1000 Content-Range: bytes 0-999/3980 Content-Type: image/jpeg {binary data}

  63. The GET me from another location response

  64. ▪ 303 See Other ▪ The response to your request

    can be found at another URL identified by the Location header ▪ The client should make a GET request on that URL ▪ The Location is not a substitute for this URL

  65. 1 POST /contact HTTP/1.1 Host: example.org Content-Type: application/x-www-form-urlencoded Content-Length: 1234

    {url-encoded form values from a contact form}

  66. 2 HTTP/1.1 303 See Other Date: Tue, 22 Sep 2009

    23:41:33 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: http://example.org/thankyou Content-Length: 0

  67. The find me temporarily at this place response

  68. ▪ 307 Temporary Redirect ▪ The resource resides temporarily at

    the URL identified by the Location ▪ The Location may change, so don’t update your links ▪ If the request is not GET or HEAD, then you must allow the user to confirm the action

  69. The permanent forwarding address response

  70. ▪ 301 Moved Permanently ▪ The resource has moved permanently

    to the URL indicated by the Location header ▪ You should update your links accordingly ▪ Great for forcing search engines, etc. to index the new URL instead of this one

  71. But what about just finding the resource at another location?

  72. ▪ 302 Found ▪ The resource has been found at

    another URL identified by the Location header ▪ The new URL might be temporary, so the client should continue to use this URL ▪ Redirections SHOULD be confirmed by the user (in practice, browsers don’t respect this)

  73. The data validation error response

  74. ▪ 400 Bad Request ▪ Generic error message ▪ The

    client sent malformed syntax ▪ The client needs to modify the request before sending it again (to fix errors)

  75. POST /user/ HTTP/1.1 Host: atom.example.org Content-Type: application/atom+xml;type=entry Content-Length: 474 <?xml

    version="1.0" encoding="utf-8"?> <entry xmlns="http://www.w3.org/2005/Atom" xml:base="http://atom.example.org/"> <title>r@msey</title> ... </entry> HTTP/1.1 400 Bad Request Date: Tue, 22 Sep 2009 23:51:00 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 123 Connection: close Content-Type: text/html; charset=utf-8 <div class="error"> The following errors occurred: <ul> <li>Title contained invalid characters</li> </ul> </div>

  76. The login required response

  77. 1 User requests page above their authorization level. Remember this?

    GET /protected/content/1234 HTTP/1.1 Host: example.org

  78. 2 User is redirected to a login page where they

    are prompted to increase their authorization level. HTTP/1.1 302 Found Date: Tue, 05 Nov 2009 17:34:24 GMT Server: Apache/2.2.14 (Unix) PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: /login Content-Length: 0 Content-Type: text/html; charset=utf-8

  79. A more semantic way:

  80. 1 GET /protected/content/1234 HTTP/1.1 Host: example.org

  81. 2 HTTP/1.1 401 Unauthorized Date: Tue, 05 Nov 2009 18:31:33

    GMT Server: Apache/2.2.14 (Unix) PHP/5.3.0 X-Powered-By: PHP/5.3.0 WWW-Authenticate: HTML form="login" Content-Length: 421 Content-Type: text/html; charset=utf-8

  82. <!doctype html> <html> <head> <title>You must log in</title> </head> <body>

    <form name="login" method="post" action="/login"> <label for="username">Username</label> <input type="text" name="username" id="username" /> <label for="password">Password</label> <input type="text" name="password" id="password" /> <input type="submit" value="Login" /> </form> </body> </html>

  83. ▪ Doesn’t imply the resource exists at another location ▪

    Tells clients the resource requires authorization ▪ Clearly tells crawlers they can’t access the resource ▪ Was originally in HTML5:
 http://blog.whatwg.org/this-week-in-html-5-episode-14 ▪ No longer in HTML5, but it works

  84. But wait! There’s more…

  85. Working with HTTP in PHP

  86. ▪ header() function
 http://php.net/header ▪ Client URL library (cURL)
 http://php.net/curl

    ▪ Streams
 http://php.net/streams ▪ HTTP extension (pecl/http)
 http://php.net/http

  87. Questions? ▪ My website is benramsey.com ▪ @ramsey on Twitter

    ▪ Read the HTTP spec at
 tools.ietf.org/html/rfc2616 ▪ My company is Schematic
 schematic.com

  88. Hidden Gems in HTTP Copyright © Ben Ramsey. Some rights

    reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License. For uses not covered under this license, please contact the author.