Best Practice in Managing HTTP-Based Client Sessions

Abstract

Most organizations now have substantial investments in their online Internet presences. For major financial institutions and retailers, the Internet provides both a cost effective means of presenting their offerings to customers, and a method of delivering a personalised 24/7 presence. In almost all cases, the preferred method of delivering these services is over common HTTP. Due to limitations within the protocol, there is no in-built facility to identify or track a particular customer (or session) uniquely within an application. Thus the connection between the customer’s Web browser and the organisation's Web service is commonly referred to as being “stateless”. Because of this, organizations have been forced to adopt custom methods of managing client sessions if they wish to maintain state. An important aspect of correctly managing state information through session IDs relates directly to authentication processes. While it is possible to insist that a client using an organization's Web application provide authentication information for each “restricted” page or data submission, it would soon become tedious and untenable. Thus session IDs are not only used to follow clients throughout the Web application, they are also used to identify each unique, authenticated user — thereby indirectly regulating access to site content or information.