Web sessions are implemented differently by each server-side scripting technology, but in general they start when the user enters the web site, and they end when the user closes the browser or the session times out. Sessions are used to track user activities, such as a user adding items to their shopping cart—the site keeps track of the items by using the session identifier.
Sessions use cookies (data sent by the web site, per site or per page, stored by the user’s browser). Each time the user visits a web site that sent a cookie, the browser will send the cookie back to the web site. (Although cookies can be used to track users’ surfing behavior and are considered a major privacy threat, they are also the best medium for session management.) Sessions use cookies to identify users and pair them with an active session identifier.
Attackers can abuse both sessions and cookies, and this section will deal with the various risks:
• Session theft
• Managing sessions by sending data to the user
• Web server cookie attacks
• Securing sessions