session. If the application’s session management is flawed, then an attacker

The HTTP protocol is essentially stateless. It is based on a simple request-

response model, in which each pair of messages represents an independent

transaction. The protocol itself contains no mechanism for linking together the

series of requests made by one particular user and distinguishing these from

all of the other requests received by the web server. In the early days of the

Web, there was no need for any such mechanism: web sites were used to pub-

lish static HTML pages for anyone to view. Today, things are very different.

The majority of web “sites” are in fact web applications. They allow you to

register and log in. They let you buy and sell goods. They remember your pref-

erences next time you visit. They deliver rich, multimedia experiences with

content created dynamically based on what you click and type. In order to

implement any of this functionality, web applications need to use the concept

of a session.

The most obvious use of sessions is in applications that support logging in.

After entering your username and password, you can go ahead and use the

application as the user whose credentials you have entered, until such time as

you log out or the session expires due to inactivity. Users do not want to have

to reenter their password on every single page of the application. Hence, after

authenticating the user once, the application creates a session for them, and

treats all requests belonging to that session as coming from that user.

Applications that do not have a login function also typically need to use ses-

sions. Many sites selling merchandise do not require customers to create

accounts. However, they allow users to browse the catalog, add items to a

shopping basket, provide delivery details, and make payment. In this sce-

nario, there is no need to authenticate the identity of the user: for the majority