O'Reilly logo

Web Security Testing Cookbook by Ben Walther, Paco Hope

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 11. Manipulating Sessions

It is one thing to show a man that he is in error, and another to put him in possession of truth.

John Locke

A session, at the most basic level, refers to all the connections a web browser makes to the web server during a single normal use. You can think of a session as a single sitting; the time and activities from when a user first browses to the application until the user logs out is one session. There are two aspects to establishing and maintaining a session. The first piece is a unique “session ID,” which is some kind of identifier that the server allocates and sends to your browser (or other client, like Flash Player). The second piece is some data that the server associates with your session ID. If you are familiar with databases, you can think of the session ID conceptually as a row in a database that corresponds with all the things you’re doing (the contents of your shopping cart, the expiration of your session, your role in the system, etc.). The session ID, then, is the unique key that the server uses to look up your row in the database. In some systems, that’s literally how it is. In other systems, the actual storage of sessions is completely different, but conceptually they work this way.

Maintaining data during a session makes life easier for users. The shopping cart metaphor is a prime example—online shopping carts retain the items you place in them until you log out or abandon the site. Without maintaining session data, the application ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required