A basic security requirement that practically any application requires to meet is to control users’ access to its data and functionality. A typical condition has several different categories of user, such as anonymous users, normal authenticated users, and administrative users.
Moreover, in many situations, different users are allowed to access a different set of data. For example, users of a web mail application should be able to read their own e-mail but not other people’s. Most web applications control access using a three of interrelated security mechanisms:
– Authentication: The authentication mechanism is logically the most basic dependency in an application’s handling of user access. It involves establishing that the user is in fact who he claims to be.
– Session management: After a user logs into the application, the user reaches different pages and functions, creating a sequence of HTTP requests from his browser. Also, the application gets many other requests from many users, some of them are authenticated and some of them are anonymous. To enforce effective access control, the application needs a way to recognize and process the series of requests that originate from each unique user.
– Access control: This is the last logical step in the process of managing user access is to make and enforce correct decisions about whether each particular request should be allowed or denied.
Each of these mechanisms describes an important area of the application’s attack surface, and each is necessary to an application’s overall security status. Because of their interdependencies, the overall security provided by the mechanisms is only as strong as the weakest link in the chain. A fault in any single element may allow an attacker to obtain unrestricted access to the application’s functionality and data.
