The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

The next logical task in the process of handling user access is to manage the

authenticated user’s session. After successfully logging in to the application,

the user will access various pages and functions, making a series of HTTP

requests from their browser. At the same time, the application will be receiving

countless other requests from different users, some of whom are authenticated

and some of whom are anonymous. In order to enforce effective access control,

the application needs a way of identifying and processing the series of requests

that originate from each unique user.

Virtually all web applications meet this requirement by creating a session

for each user and issuing the user a token that identifies the session. The ses-

sion itself is a set of data structures held on the server, which are used to track

the state of the user’s interaction with the application. The token is a unique

string that the application maps to the session. When a user has received a