The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

contained within any individual page. Once a user has entered his 

credentials into a browser dialog, the browser effectively resubmits

these credentials (or reperforms any required handshake) with every

subsequent request to the same server. This is the equivalent to an

application that uses HTML forms-based authentication and places a

login form on every application page, requiring users to reauthenticate

themselves with every action they perform. Hence, when HTTP-based

authentication is used, it is possible for an application to re-identify the

user across multiple requests without using sessions. However, HTTP

authentication is rarely used on Internet-based applications of any com-

plexity, and the other very versatile benefits that fully fledged session

mechanisms offer mean that virtually all web applications do in fact

employ them.

■■