How to parse and handle complete response headers?

[LCF-AT]

Hi guys,

just working again a little on my http/s request stuff and got some questions.I would like to know how to interpret a full response header to build another next request header so long til success.Would like to build some automation about that.

1.) Reading response Status Code value about success or issues

2.) On success reading response header fields like Set-Cookie to prepair next request with Cookie field

3.) ?

Lets say I wanna visit a page like in a browser just without using a browser.So what is all more important to read specific response header fields and creating another request header?I know there are tons of diffrent header fields which could be used so my first goal is it to find out which are absolutly needed to read & use on next request header.Lets say I got status success back on a request so what should I check as next?I think I have to check first the Set-Cookie fields - reading and parse them and use them on another requests.My first question in this case would be which Set-Cookie fields I have to use for next requests.

Example:

Set-Cookie: ips4_IPSSessionFront=12345; path=/; secure; HttpOnly
Set-Cookie: ips4_guestTime=1584643983; path=/; secure; HttpOnly
Set-Cookie: ips4_forum_view=table; expires=Fri, 19-Mar-2021 18:53:03 GMT; Max-Age=31536000; path=/; secure; HttpOnly

So when reading the RFC doc about Set-Cookie fields then I can read that I need to use all entrys for next Cookie requests which using the Max-Age=X entrys if they are not 0 or "-" or if the Max-Age atribute isnt used then too.In this case above I have to use all entrys for a next request using the Cookie field.

Cookie: ips4_IPSSessionFront=12345; ips4_guestTime=1584643983; ips4_forum_view=table

Right?So what about other header fields and which of those I have to handle too?Anyhow its really tricky to build any own functions to handle that stuff by itself you know.Just wanna ask whether you have some more infos or must have knowledge to handle those stuff in a automatic way etc.

greetz

[nimaarek]

The values in the header are defined by the web server (Apache Request and Response Headers), the programming language (like session identifier (PHPSESSID) ), and the developer itself (like csrf token)
So the type of web server and its language is important because they each have their own behavior, and that's important.
So I need to know you are doing this for a specific site?

[whoknows]

There is the 

HTTPHEADER (aka request header) - clent

RESPHEADER (aka server response header) = server

these two sometime play together..  Meaning for security purposes, a client make a request to a server by passing an extra "xyz" header (possible a token) to server, server identify the client by that. Imagine this "passing an extra "u_name_it" header" is the same as passing an extra variable to request parameters, but is doing it to request/server headers.

------------

in any language you an enumerate the response header (as @nimaarek mention defined by the web server and the developer that can add his "u_name_it"). 

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
https://flaviocopes.com/http-response-headers/

 

But from the other side, you list come cookies that have nothing to do with the response header. You can set a cookie_jar and store the cookies for you, so for example at first call, u login then. u can reuse the cookie_jar on the second call.

https://curl.haxx.se/libcurl/c/CURLOPT_COOKIEJAR.html