Hacking the Code: ASP.NET Web Application Security

Chapter 3: Managing Sessions

Introduction

For many Web sites, the user experience depends on the continuity of the user session. Since HTTP is a connectionless protocol, it is usually up to the Web developer to maintain some form of session persistence. When users browse through a Web site, they usually access multiple pages with different content on each page. Initially they visit one page, browse the contents of that page, then visit another page and continue until they are finished using that Web site. At that point they either close their browser or keep the browser open and continue on to a different Web site. To the user, it appears as one continuous session with the Web site they visit. But behind the scenes, the process is very different.

For each page visit, the browser makes several requests of the server for those elements required to render the page in the browser window. After retrieving those elements, the client closes the connection with the server. When retrieving the next page, the browser repeats the process, but the server has no idea that this request is connected to the previous request.

For that reason, the server needs to issue some kind of unique token that the browser can present with each visit to know which sessions are related. A token is an identifying string that is unique to each session. Using these session tokens, the server can treat a series of disconnected requests as if they were one continuous connection.

A server can assign...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Web Browsers
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.