1. For those bitcoin services website, like bitcoin exchanges, how are they able to generate unique bitcoin address for each users? Do they use a BIP wallet to generate those bitcoin address, or some other methods?
Yes
It's impossible to know as most don't openly advertise how they handle these types of things. I'm sure there are websites that are using "HD" wallets to generate keys from seeds, and others that simply use the old "RNG" method to just randomly generate keys as required. Others probably use hardware wallets etc.
How long is a piece of string?
2. Do they store those bitcoin address on their public web server? I am thinking that when you visit their website, their back-end will surely get your assigned bitcoin address from somewhere in their system, so they can check for the balance, so I am guessing bitcoin address are stored on their webserver. Will storing bitcoin address on webserver pose a security threat?
Addresses aren't really a "security threat" as such... they are after all, ALL published within the blockchain data for everyone to see when they receive coins.
I would assume that they are storing their address list somewhere... whether that is on their public webserver or not is probably more a function of performance and latency than anything else.
3. Likewise, do they store private keys of those addresses on webserver? If no due to security concerns, then how are users able to withdraw their bitcoin from the website, especially since the private keys are in cold-wallet and thus they are not connected to the public webserver?
If they are storing private keys on a webserver, they are pretty stupid. Private keys are called "private" for a reason. Putting them anywhere near a public facing server is a recipe for disaster.
Users don't generally create a transaction, sign it and then broadcast it... they will create a "withdrawal request", which is then processed by the system. As long as the system has access to the appropriate keys, that's all that really matters.
4. Most website will have their own bitcoin addresses to pool in all the funds deposited from the users' bitcoin address. This addresses are then used for user's withdrawals. How are they able to check which user's public address have funds in it, so they can transfer the funds to their own address, especially if they have so many users? Also, how they able to handle user's withdrawal in this case, assuming the private keys of their own pool addresses are stored offline? What if users require instant withdrawal?
I would think that most of the sites don't do it like this. Instead, each user will have an account (SomeUser) and some associated Database values (like AccountBalance, DepositAddress etc). Each DepositAddress is assigned to the user either semi-permanently (and re-used for each deposit, I've seen a couple of gambling sites in particular that do this) or they automatically get assigned a new DepositAddress whenever the current one is "used" and has received funds for the first time (most exchanges seem to do this).
SomeUser then logs in, and clicks on the "deposit BTC" link... they are presented with the DepositAddress that is currently linked in the backend database with their SomeUser account. SomeUser then sends some BTC from their external wallet to DepositAddress. Custom software (or maybe a modified version of Bitcoin Core etc), monitoring the sites wallet addresses, detects a transaction to DepositAddress. Once that transaction is confirmed, the "AccountBalance" for SomeUser is then incremented by value of the transaction.
When a user wants to withdraw, they issue a request to withdraw a certain amount of BTC (AmountRequested) to a certain address (WithdrawAddress)... The system simply checks that SomeUser.AccountBalance >= AmountRequested and that WithdrawAddress is a "valid" BTC address. If they are, then the backend can either immediately create a transaction that sends AmountRequest to WithdrawAddress using whatever hotwallet funds they have (basically using funds from ANY address(es) in the sites hot wallet)... or, if they're a site that likes to batch transactions, they can add the request to the queue. At this point, SomeUser.AccountBalance will be decremented by AmountRequested (+fee
)... and most likely a "pending" transaction entry will be added to their account history etc.
Scheduled tasks could be used to shift funds from hot wallet deposit addresses to cold storage... or you could simply do it whenever hot wallet balance exceeds a certain threshold. Likewise the refilling of hotwallet is likely done when the balance falls below a certain threshold to ensure enough funds are available to satisfy "instant withdrawal".
Obviously there is a lot of room for debate as to which is the "best" method for these types of systems... or what is an "acceptable" amount to hold in a hot wallet before shifting to cold... or what is minimum amount required in hot wallet. It will be very much site specific and vary according to the level of risk the site is willing to carry, what their incoming/outgoing transaction numbers/values are etc.
Note that the above is a mixture of guesswork/assumption and casual conversation with site owners on how they handle things in "general terms" without low level specifics etc.