HTTP vs HTTPS: Protocol Basics, Security, Cookies & Sessions

HTTP and HTTPS Overview

HTTP (HyperText Transfer Protocol) is a stateless, clear‑text request‑response protocol used by browsers and servers to exchange web resources. HTTPS adds an SSL/TLS encryption layer on top of HTTP, providing confidentiality, integrity and server authentication.

Key Differences

Security : HTTP sends data in clear text; HTTPS encrypts the traffic.

Default ports : 80 for HTTP, 443 for HTTPS.

Performance : HTTPS incurs a modest handshake and encryption overhead compared with HTTP.

Certificate requirement : HTTPS needs an X.509 certificate issued by a trusted Certificate Authority (CA).

Network Fundamentals

IP, MAC and DNS

When a user enters a domain name (e.g., www.example.com), the browser performs DNS resolution to obtain the corresponding IP address. The request is then routed through a series of routers, each forwarding the packet based on its destination IP. MAC addresses identify devices on the local link, while IP addresses are used for routing across networks.

IP address : Global identifier for a host; used for routing on the Internet.

MAC address : Physical address of a network interface; used only within the same LAN segment.

Common Service Ports

HTTP – 80

HTTPS – 443

FTP – 21

MySQL – 3306

SSH – 22

HTTP Request and Response Structure

Request Line, Headers and Body

An HTTP request consists of a request line, a set of headers, and an optional body. A response contains a status line, headers and a body.

Typical GET Request

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate, br

This request asks the server for /index.html using the GET method, identifies the client and indicates supported encodings.

Common HTTP Methods

GET – retrieve a resource (parameters in URL).

POST – submit data in the request body.

PUT – replace an existing resource.

DELETE – remove a resource.

Typical 200 OK Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234

<html>...</html>

The server returns status code 200, specifies the content type and length, and includes the requested HTML body.

Important Status Codes

200 OK – request succeeded.

400 Bad Request – malformed request.

404 Not Found – resource does not exist.

500 Internal Server Error – server‑side failure.

HTTPS Encryption Mechanics

Symmetric and Asymmetric Encryption

Symmetric encryption : Fast, uses a shared secret key for both encryption and decryption.

Asymmetric encryption : Uses a public/private key pair; slower but enables secure key exchange.

TLS Handshake and Key Exchange

The TLS handshake proceeds as follows:

The client sends a ClientHello with supported cipher suites.

The server replies with a ServerHello, its digital certificate (containing the public key) and the chosen cipher suite.

The client validates the certificate (chain of trust, expiration, hostname).

The client generates a random session key, encrypts it with the server’s public key, and sends it in a ClientKeyExchange message.

Both sides derive the same symmetric session key and switch to encrypted communication for the remainder of the session.

Digital Certificates

A certificate binds a public key to a domain name and is signed by a trusted CA. Browsers verify the certificate’s signature, chain, validity period and hostname before establishing a secure connection.

State Management: Cookies vs Sessions

Cookie

Stored on the client browser.

Typical size limit: 4 KB per cookie, up to 20 cookies per domain.

Sent with every HTTP request, adding bandwidth overhead.

Can be protected with HttpOnly and Secure flags; otherwise vulnerable to theft or tampering.

Session

Data stored on the server; the client holds only a session identifier (usually in a cookie).

More secure because the actual data never leaves the server.

Lost when the session expires or the browser is closed.

Comparison

Storage : Cookie – client; Session – server.

Security : Cookie – susceptible to tampering; Session – safer.

Size : Cookie – limited to a few kilobytes; Session – limited only by server resources.

Network overhead : Cookie – sent on every request; Session – only the session ID travels.

Summary

HTTP is suitable for public, non‑sensitive content but transmits data in clear text. HTTPS adds SSL/TLS encryption, certificate‑based server authentication and data integrity protection, making it essential for login pages, payment processing and any confidential communication.