• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 14. Security > Web Sessions

Web Sessions

As mentioned earlier, the basic Web protocols are stateless, and each request stands on its own. Consequently, each request must be independently authenticated. This is exactly what happens in basic authentication, in which the user's name and password are passed to the server on each request. The user experience is not bad, because after the first request for name and password from a site, the browser remembers to supply the credentials on subsequent requests. However, the server must independently validate the name and password on every hit. In addition, although the use of a secure protocol such as SSL can overcome the problem of transmitting passwords in the clear, these protocols may not be warranted for all communications, because the content being viewed may not be intrinsically valuable. Digest authentication can solve these problems by making the authentication both secure and lightweight, but it is not widely deployed.

The technique most often used to enable authentication without requiring that all content be encrypted is to create a session on top of the basic stateless Web protocols. When the session is entered, the server first authenticates the user. Thereafter, the authentication information is not required on every request, but every request does include information that identifies it as belonging to a particular session. There are two ways to create a Web session today: custom URLs and cookies, as shown in Figure 14-6.


PREVIEW

                                                                          

Not a subscriber?

Start A Free Trial


  
  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint