Web sessions are performed differently by each server-side scripting technology, but in common, they begin when the user accesses the website, and they end when the user ends the browser or the session times out. Sessions are used to track user actions, such as a user adding items to their shopping basket—the site keeps track of the items by using the session identifier.
Sessions use cookies (the data that has been sent by the website, saved by the user’s browser). Every time the user visits a website that sent a cookie, the browser will send the cookie back to the website. (Although cookies can be used to track users’ activities and are considered a major privacy threat, they are also the best medium for session management.) Sessions use cookies to recognize users and pair them with an active session identifier.
Let’s pretend the website uses e-mail addresses as the identifying data. After the user has logged in, the server will send the browser a cookie holding the user’s e-mail address.
For each page this user will access, the browser will send the cookie containing the user’s e-mail address. The site checks the data in the cookie and enables the user to go where their profile permits.
A hacker could change the data in the cookie, however. Imagine that the cookie contains [email protected], and each time we access the site we can automatically access restricted areas. If the hacker modifies the e-mail address in his cookie (located on his machine) to be [email protected], the next time the hacker accesses the site, it will think he is the user anotheruser and enable him to access that user’s data.
