WEBVTT 0:00:03.640000 --> 0:00:05.520000 session management. 0:00:05.520000 --> 0:00:09.980000 So in this video, we're going to be getting into session management. 0:00:09.980000 --> 0:00:16.220000 Again, I'm assuming you're probably familiar with sessions, session IDs, 0:00:16.220000 --> 0:00:22.040000 cookies, etc. But I think it's important that we go over session management 0:00:22.040000 --> 0:00:32.100000 and the reasons will become aspects or components of session management 0:00:32.100000 --> 0:00:38.300000 that I want to go over more importantly, because of the interplay or the 0:00:38.300000 --> 0:00:43.960000 link between authentication and authorization, I should say authentication 0:00:43.960000 --> 0:00:50.380000 and sessions or session management, which will then later take us into 0:00:50.380000 --> 0:00:51.600000 session security. 0:00:51.600000 --> 0:00:55.700000 But let's not get ahead of ourselves session management. 0:00:55.700000 --> 0:01:00.420000 So we've got an understanding of what authentication is, what it's used 0:01:00.420000 --> 0:01:03.160000 for in the context of web applications. 0:01:03.160000 --> 0:01:05.500000 We know what authorization is. 0:01:05.500000 --> 0:01:11.160000 And we also took a look at some modern or some common authentication mechanisms 0:01:11.160000 --> 0:01:18.540000 used in the modern world of the internet in web applications to essentially 0:01:18.540000 --> 0:01:26.060000 control and restrict access to certain resources or to specific websites. 0:01:26.060000 --> 0:01:28.540000 And that now brings us to sessions, right? 0:01:28.540000 --> 0:01:29.720000 And session management. 0:01:29.720000 --> 0:01:34.000000 Now, if you're familiar with this, again, it's probably very basic stuff. 0:01:34.000000 --> 0:01:38.280000 But I think it's quite important that at least we revisit it. 0:01:38.280000 --> 0:01:44.380000 So starting at the beginning or starting in the beginning, once upon a 0:01:44.380000 --> 0:01:47.720000 time, what is session management? 0:01:47.720000 --> 0:01:52.440000 Well, in the context of web applications, session management is the process 0:01:52.440000 --> 0:02:00.400000 of creating, maintaining, and securing a user's session after they authenticate. 0:02:00.400000 --> 0:02:02.880000 So this comes after, right? 0:02:02.880000 --> 0:02:07.320000 And it's separate from authorization, because that essentially determines 0:02:07.320000 --> 0:02:17.760000 what you can access after you authenticate. 0:02:17.760000 --> 0:02:22.220000 But your session, now, you know, if this confuses, you don't worry, I 0:02:22.220000 --> 0:02:25.740000 think I have another analogy that will help you understand exactly what 0:02:25.740000 --> 0:02:27.040000 session management is. 0:02:27.040000 --> 0:02:31.940000 And this is very important because understanding the difference between 0:02:31.940000 --> 0:02:37.400000 these, you know, between authentication, authorization, and session management, 0:02:37.400000 --> 0:02:43.420000 I think is almost critical to your success as a web application penetration 0:02:43.420000 --> 0:02:49.380000 tester, or even, you know, as someone working on the defensive side. 0:02:49.380000 --> 0:02:57.780000 So a session represents a temporary keyword, continuous interaction between 0:02:57.780000 --> 0:03:03.600000 the user and the application, the web application, essentially allowing 0:03:03.600000 --> 0:03:09.580000 the user to access resources and maintain an active state or an authenticated 0:03:09.580000 --> 0:03:15.920000 state, I should say, without reauthenticating on each request. 0:03:15.920000 --> 0:03:18.780000 Now, why is this the case? 0:03:18.780000 --> 0:03:23.280000 Or why, you know, why do we need session management on the internet or 0:03:23.280000 --> 0:03:24.840000 in web applications? 0:03:24.840000 --> 0:03:29.840000 Well, the reason we need session management or a form of session management 0:03:29.840000 --> 0:03:34.400000 is all down to the limitations of HTTP. 0:03:34.400000 --> 0:03:41.260000 Now, I've introduced, you know, I've covered HTTP to, you know, to quite 0:03:41.260000 --> 0:03:46.140000 an extent in the EWPT certification. 0:03:46.140000 --> 0:03:48.900000 So I'll not be diving into the inner workings of HTTP. 0:03:48.900000 --> 0:03:52.860000 But if you remember, this is something you can also research on your own. 0:03:52.860000 --> 0:04:05.180000 If you're not familiar with this, you know, the web or web applications 0:04:05.180000 --> 0:04:09.420000 and your browser to communicate, right? 0:04:09.420000 --> 0:04:15.740000 Now, the problem with HTTP, you know, at least in so far, a session management 0:04:15.740000 --> 0:04:18.980000 is concerned is that it is stateless. 0:04:18.980000 --> 0:04:25.840000 So what that means is that with HTTP or anything running on HTTP, you're 0:04:25.840000 --> 0:04:35.420000 really inherently not able to, you're not able to have this or HTTP doesn't 0:04:35.420000 --> 0:04:40.020000 have the ability to track your authenticated session. 0:04:40.020000 --> 0:04:45.840000 So, you know, you're not able to have, you know, for example, if we didn't 0:04:45.840000 --> 0:04:49.740000 have session management, which at one point we didn't on the internet, 0:04:49.740000 --> 0:04:54.680000 that's why we have, you know, session IDs and cookies, etc. 0:04:54.680000 --> 0:05:01.300000 Once, you know, for example, you closed the tab, you know, you would be 0:05:01.300000 --> 0:05:03.800000 logged out of the website, right? 0:05:03.800000 --> 0:05:09.080000 And when you opened up the website again that you were logged into previously, 0:05:09.080000 --> 0:05:11.500000 you need to sign in again. 0:05:11.500000 --> 0:05:15.220000 Now, session management essentially allows you for a temporary amount 0:05:15.220000 --> 0:05:19.360000 of time, which is actually defined and, you know, the different websites 0:05:19.360000 --> 0:05:22.680000 have different durations. 0:05:22.680000 --> 0:05:29.340000 But it allows you for a temporary amount of time to stay authenticated 0:05:29.340000 --> 0:05:33.060000 so that you don't have to keep on logging in. 0:05:33.060000 --> 0:05:34.560000 Makes sense, right? 0:05:34.560000 --> 0:05:41.060000 So session management is essential to track and maintain user identity 0:05:41.060000 --> 0:05:43.020000 across multiple requests. 0:05:43.020000 --> 0:05:47.000000 Because remember, authentication is just one side of it. 0:05:47.000000 --> 0:05:54.700000 You also want to ensure that the identity of the user is maintained and 0:05:54.700000 --> 0:06:00.100000 is not convoluted or conflated with someone else's identity, like an admin's 0:06:00.100000 --> 0:06:06.720000 identity. So session management is an augmentation to this whole process, 0:06:06.720000 --> 0:06:12.780000 if you will, of what happens after your after you've gone through the 0:06:12.780000 --> 0:06:18.500000 door using the earlier analogy or the analogy I used in earlier videos. 0:06:18.500000 --> 0:06:24.740000 Now, in order for you to understand authentication, authorization, and 0:06:24.740000 --> 0:06:29.780000 session management as a whole or altogether, I need to use a different 0:06:29.780000 --> 0:06:36.240000 analogy. One that I think will be very, very useful to you in, you know, 0:06:36.240000 --> 0:06:42.360000 essentially helping you understand when each of these come into play and 0:06:42.360000 --> 0:06:43.700000 why they're important. 0:06:43.700000 --> 0:06:46.040000 So here's the analogy. 0:06:46.040000 --> 0:06:54.580000 If you've ever been to a water park or let's say a music concert, that 0:06:54.580000 --> 0:07:01.900000 type of event, really, at least in my opinion, will give you, actually 0:07:01.900000 --> 0:07:07.220000 has all the components for you to understand authentication, session management, 0:07:07.220000 --> 0:07:08.160000 and authorization. 0:07:08.160000 --> 0:07:10.400000 So let's start from the beginning. 0:07:10.400000 --> 0:07:12.040000 So you buy a ticket. 0:07:12.040000 --> 0:07:14.340000 That's not really important at this point. 0:07:14.340000 --> 0:07:18.180000 But the bottom line is, let's say you're going to a concert, a music concert, 0:07:18.180000 --> 0:07:23.580000 and you buy a ticket online or, you know, wherever, whatever, you know, 0:07:23.580000 --> 0:07:24.900000 that's not really important. 0:07:24.900000 --> 0:07:28.620000 The bottom line is you have a ticket, and it's the day of the concert. 0:07:28.620000 --> 0:07:33.580000 So you head over to the venue, and you find that at the concert, there's 0:07:33.580000 --> 0:07:41.220000 a ticket booth or a ticketing station, where everyone who wants to go 0:07:41.220000 --> 0:07:47.280000 to the music concert, this is on, you know, the periphery of the actual 0:07:47.280000 --> 0:07:53.180000 concert venue. So this has been set up to prevent anyone who doesn't have 0:07:53.180000 --> 0:07:57.460000 a ticket from entering and enjoying the concert. 0:07:57.460000 --> 0:08:00.040000 So only people with a ticket, i.e. 0:08:00.040000 --> 0:08:03.660000 people who purchased a ticket, will be able to enter. 0:08:03.660000 --> 0:08:08.380000 Okay, so as you can, as you can already tell, that is authentication. 0:08:08.380000 --> 0:08:13.960000 So you have someone at the ticket booth or someone at the gates, for example, 0:08:13.960000 --> 0:08:18.200000 and they are checking everyone going in, and, you know, they're checking 0:08:18.200000 --> 0:08:21.560000 their ticket, and they're also checking the validity of the ticket, because 0:08:21.560000 --> 0:08:23.040000 they're fakes, right? 0:08:23.040000 --> 0:08:26.900000 So you can think of that as sort of an advanced form or an augmented form 0:08:26.900000 --> 0:08:29.160000 of authentication. 0:08:29.160000 --> 0:08:34.340000 And so you have your ticket, and you go, you go on to the gate, and, you 0:08:34.340000 --> 0:08:37.960000 know, the individual there checks your ticket and says, yep, you're good 0:08:37.960000 --> 0:08:39.520000 to go. This is legitimate. 0:08:39.520000 --> 0:08:43.980000 In you go, but, but, but this is very important. 0:08:43.980000 --> 0:08:51.460000 Before you go in, I'm going to put this wristband on your wrist, and this 0:08:51.460000 --> 0:08:57.500000 wristband will allow the security personnel within the concert venue to 0:08:57.500000 --> 0:09:03.460000 actually verify and confirm that, yes, indeed, you are someone who bought 0:09:03.460000 --> 0:09:08.080000 the ticket, and you actually have been authenticated by me. 0:09:08.080000 --> 0:09:15.400000 So I essentially use this wristband to tell everyone inside the concert 0:09:15.400000 --> 0:09:21.120000 arena or zone that, hey, this guy is paid, his ticket is legitimate, and, 0:09:21.120000 --> 0:09:24.780000 you know, you're authenticated successfully, so that when you go into 0:09:24.780000 --> 0:09:31.000000 the concert venue, and likewise, anyone else who has a legitimate ticket 0:09:31.000000 --> 0:09:36.500000 goes into the concert venue, the security personnel, and everyone generally 0:09:36.500000 --> 0:09:42.020000 who is within the concert venue, enjoying the music, knows that, you know, 0:09:42.020000 --> 0:09:46.080000 you have, you know, you actually bought a legitimate ticket, and you, 0:09:46.080000 --> 0:09:50.680000 and this was authenticated at the gates before you went in. 0:09:50.680000 --> 0:09:58.240000 Right now, the wristband in this analogy is essentially where we get into, 0:09:58.240000 --> 0:10:04.000000 you know, you know, post-authentication, which is the ticket, but the 0:10:04.000000 --> 0:10:10.040000 wristband is at the basic level authorization. 0:10:10.040000 --> 0:10:16.000000 So the wristband authorizes you to actually enjoy the concert or to attend 0:10:16.000000 --> 0:10:17.520000 the concert, right? 0:10:17.520000 --> 0:10:22.180000 Now, you may be asking, where does session management come into play here? 0:10:22.180000 --> 0:10:26.200000 Well, I don't know if you've noticed this, or, but again, we can sort 0:10:26.200000 --> 0:10:30.700000 of add to the analogy, but what if they're different tiers for the concert 0:10:30.700000 --> 0:10:35.540000 in that, you can buy a VIP ticket that gives you access to, let's say, 0:10:35.540000 --> 0:10:40.740000 a closer set of seats that, you know, closer to the stage or whatever, 0:10:40.740000 --> 0:10:47.720000 how do we use the wristband to essentially allow you to access those privileged 0:10:47.720000 --> 0:10:49.940000 or restricted areas? 0:10:49.940000 --> 0:11:00.380000 Well, session management is to these privileges. 0:11:00.380000 --> 0:11:05.140000 And again, you can see that as sort of authorization, but, and it is, 0:11:05.140000 --> 0:11:09.620000 but, the fact that you have the wristband on, the fact that you have the 0:11:09.620000 --> 0:11:13.240000 wristband on is sort of, you know, your session ID, if you will. 0:11:13.240000 --> 0:11:18.080000 But this can also be augmented as it is on the internet. 0:11:18.080000 --> 0:11:23.200000 So let's say you bought a VIP ticket and you're given a different colored 0:11:23.200000 --> 0:11:30.620000 wristband, let's say once you're inside the concert venue after your ticket 0:11:30.620000 --> 0:11:35.020000 has been authenticated and after you've got your red wristband, you can 0:11:35.020000 --> 0:11:38.320000 now move on to the VIP section. 0:11:38.320000 --> 0:11:42.920000 Firstly, everyone knows that, yeah, you're supposed to be here, but now 0:11:42.920000 --> 0:11:49.280000 there's another area that you are also authorized to access, which you 0:11:49.280000 --> 0:11:53.640000 can only access by virtue of the fact that a you have on the wristband, 0:11:53.640000 --> 0:11:56.980000 but more importantly, the wristband is of a certain type. 0:11:56.980000 --> 0:12:01.060000 In this case, it needs to be read, maybe has some additional info printed 0:12:01.060000 --> 0:12:03.320000 on it doesn't really matter. 0:12:03.320000 --> 0:12:09.380000 But the bottom line is to sort of simplify the analogy. 0:12:09.380000 --> 0:12:14.280000 Authentication is the person checking your ticket at the gates, right, 0:12:14.280000 --> 0:12:17.760000 for validity, etc. 0:12:17.760000 --> 0:12:22.460000 Once you go in, or before you go in, you have the wristband put around 0:12:22.460000 --> 0:12:26.380000 your wrist, that is unique to you. 0:12:26.380000 --> 0:12:30.700000 And essentially, it essentially proves that you know, you've authenticated 0:12:30.700000 --> 0:12:35.680000 successfully and the wristband is your session ID, if you will. 0:12:35.680000 --> 0:12:40.560000 So this allows you to temporarily, this is the key thing, because remember, 0:12:40.560000 --> 0:12:45.840000 once you leave the concert venue, the wristband is cut off so that in 0:12:45.840000 --> 0:12:50.600000 the future, you can return here again without a ticket, you know, with 0:12:50.600000 --> 0:12:54.160000 your wristband and say, Hey, I want to get in, because that's when you 0:12:54.160000 --> 0:12:56.360000 would be bypassing the authentication. 0:12:56.360000 --> 0:13:00.420000 So hopefully you're starting to see where all the hacks are coming from, 0:13:00.420000 --> 0:13:06.380000 or where the where attackers typically, or the techniques attackers typically 0:13:06.380000 --> 0:13:13.140000 like using. So this all makes sense as we progress, but the authorization, 0:13:13.140000 --> 0:13:22.220000 the authorization process could be considered the different type or different 0:13:22.220000 --> 0:13:26.380000 colored wristband that gives you VIP access, for example. 0:13:26.380000 --> 0:13:31.500000 But you can sort of see that session ID or your session and authorization 0:13:31.500000 --> 0:13:33.620000 are somewhat closely linked. 0:13:33.620000 --> 0:13:35.920000 And that's why I wanted to use this analogy. 0:13:35.920000 --> 0:13:37.600000 And again, you can use a different analogy. 0:13:37.600000 --> 0:13:41.460000 And I know I'm taking a bit of your time here, like, you know, going to 0:13:41.460000 --> 0:13:45.220000 a water park where it's sort of the same type of thing, where you pay 0:13:45.220000 --> 0:13:51.160000 for access, you know, either based on a specific duration, or, you know, 0:13:51.160000 --> 0:13:54.620000 to access specific areas of the water park. 0:13:54.620000 --> 0:14:00.520000 And, you know, you get a wristband once you pay, and your wristband is 0:14:00.520000 --> 0:14:05.100000 your session, or your session ID, and its temporary access. 0:14:05.100000 --> 0:14:10.420000 Again, when you leave, or when you log out, the wristband is cut off, 0:14:10.420000 --> 0:14:13.780000 or is actually removed from your wristband, and you don't get to go home 0:14:13.780000 --> 0:14:18.600000 with it. If you want to get back in, you have to re authenticate, or pay 0:14:18.600000 --> 0:14:20.560000 again, or buy a new ticket. 0:14:20.560000 --> 0:14:26.140000 And that's hopefully that analogy, that long winded analogy actually explains 0:14:26.140000 --> 0:14:31.620000 all three of these things, that being authentication, session management, 0:14:31.620000 --> 0:14:33.740000 and authorization to a certain extent. 0:14:33.740000 --> 0:14:36.140000 Anyway, I didn't want to take too much of your time. 0:14:36.140000 --> 0:14:40.500000 So moving on here, let's get back to the technical stuff. 0:14:40.500000 --> 0:14:45.600000 What are the functions of session management, and using the analogy, I 0:14:45.600000 --> 0:14:50.340000 think I covered most of them, but the most important is session creation. 0:14:50.340000 --> 0:14:56.420000 So when a user authenticates, the server generates a session ID that uniquely 0:14:56.420000 --> 0:15:03.840000 identifies the user's session, the session ID is typically stored in a 0:15:03.840000 --> 0:15:09.180000 parameter or HTTP header, and is sent with each request, i.e. 0:15:09.180000 --> 0:15:11.280000 your wristband, right? 0:15:11.280000 --> 0:15:14.080000 We then have session maintenance. 0:15:14.080000 --> 0:15:18.720000 So the session ID allows the application to remember the user across multiple 0:15:18.720000 --> 0:15:24.500000 requests, retaining information like user preferences, roles, and permissions. 0:15:24.500000 --> 0:15:29.020000 This process enables smooth user experiences, such as keeping users logged 0:15:29.020000 --> 0:15:33.820000 in, while they navigate different pages, maintaining your language, for 0:15:33.820000 --> 0:15:37.480000 example, on the web page, if that is an option, etc. 0:15:37.480000 --> 0:15:43.540000 So you can obviously tell just with these two functions, just how important 0:15:43.540000 --> 0:15:48.400000 session management is, especially in the context of the modern internet 0:15:48.400000 --> 0:15:51.400000 or the modern web applications. 0:15:51.400000 --> 0:15:54.620000 We then have session security equally as important. 0:15:54.620000 --> 0:15:59.640000 So session management incorporates security measures to protect the session 0:15:59.640000 --> 0:16:05.080000 from threats like session hijacking, fixation, and replay attacks. 0:16:05.080000 --> 0:16:09.960000 So using the analogy again of the concept, there could be some nefarious 0:16:09.960000 --> 0:16:16.800000 or malicious individuals within the concert arena already that may, that's 0:16:16.800000 --> 0:16:21.560000 essentially spot you and see that, hey, that guy has access to the VIP 0:16:21.560000 --> 0:16:24.060000 section, and his wristband is red. 0:16:24.060000 --> 0:16:28.700000 Well, remember the nefarious individual or the attacker in this case is 0:16:28.700000 --> 0:16:30.220000 wearing a green wristband. 0:16:30.220000 --> 0:16:31.820000 So they're a standard user. 0:16:31.820000 --> 0:16:36.820000 And if we use a web application analogy or sort of conjoin those two, 0:16:36.820000 --> 0:16:42.840000 and you with the red wristband have admin privilege as well, what's to 0:16:42.840000 --> 0:16:47.240000 stop the attacker from, you know, running over to you and stealing your 0:16:47.240000 --> 0:16:51.100000 wristband. Again, I'm not, we're not diving into the specifics as to whether 0:16:51.100000 --> 0:16:52.860000 that's possible or not. 0:16:52.860000 --> 0:16:57.020000 But there is a possibility that they can try and get it off you, right? 0:16:57.020000 --> 0:17:01.220000 And you need a way to protect or prevent that from happening. 0:17:01.220000 --> 0:17:07.480000 And again, with the analogy there, that's what session security is all 0:17:07.480000 --> 0:17:12.980000 about. Another example you can sort of include in them is, you know, the 0:17:12.980000 --> 0:17:19.880000 sort of preventing fake or counterfeit wristbands from being brought in 0:17:19.880000 --> 0:17:23.500000 from the outside or something like that. 0:17:23.500000 --> 0:17:26.160000 But let's not dive too deep into that analogy. 0:17:26.160000 --> 0:17:28.020000 We could take it quite far. 0:17:28.020000 --> 0:17:32.580000 So in the case of web applications now, this will typically include secure 0:17:32.580000 --> 0:17:38.640000 transmission of session data, for example, using HTTPS and setting secure 0:17:38.640000 --> 0:17:41.380000 cookie flags and enforcing timeouts. 0:17:41.380000 --> 0:17:46.920000 So very, very important, you then have session termination, which is again 0:17:46.920000 --> 0:17:51.220000 equally as important, I should say, where sessions are typically terminated 0:17:51.220000 --> 0:17:57.340000 after a certain period of inactivity or, you know, a session timeout, 0:17:57.340000 --> 0:18:00.020000 or when a user logs out. 0:18:00.020000 --> 0:18:05.560000 Okay. And proper session termination ensures that unauthorized users cannot 0:18:05.560000 --> 0:18:09.000000 reuse session data, i.e. 0:18:09.000000 --> 0:18:13.500000 when you leave the concert, you have to leave through the same gate you 0:18:13.500000 --> 0:18:14.980000 came in typically. 0:18:14.980000 --> 0:18:20.080000 And when you do that, your wrist, your wristband is actually cut and taken 0:18:20.080000 --> 0:18:23.660000 off you so that you can go and give it to someone else. 0:18:23.660000 --> 0:18:26.280000 Right. And it's pretty much null and void. 0:18:26.280000 --> 0:18:29.640000 If you want to get back in, you need to buy another ticket. 0:18:29.640000 --> 0:18:31.580000 So that's very important. 0:18:31.580000 --> 0:18:34.820000 The bottom line is you can give it to your brother and have your brother 0:18:34.820000 --> 0:18:37.580000 go in with your wristband. 0:18:37.580000 --> 0:18:46.700000 You know, they would need to pay for session termination is as equally 0:18:46.700000 --> 0:18:52.080000 as important as session creation in the earlier slide there. 0:18:52.080000 --> 0:18:56.820000 So before we actually end this video, I want to go over authentication 0:18:56.820000 --> 0:18:58.000000 and session management. 0:18:58.000000 --> 0:19:02.340000 Now with the analogy, you sort of understand the link between the two, 0:19:02.340000 --> 0:19:05.380000 but let's go over it in a more technical sense. 0:19:05.380000 --> 0:19:07.920000 So authentication as the starting point. 0:19:07.920000 --> 0:19:16.620000 So authentication is always requiring credentials like a username and 0:19:16.620000 --> 0:19:21.180000 password. Once authenticated, the application can grant access based on 0:19:21.180000 --> 0:19:23.280000 the user's identity. 0:19:23.280000 --> 0:19:25.280000 You then have step two. 0:19:25.280000 --> 0:19:28.380000 So session creation following authentication. 0:19:28.380000 --> 0:19:31.000000 So session creation after authentication. 0:19:31.000000 --> 0:19:37.240000 Upon successful authentication, a session is created and assigned a unique 0:19:37.240000 --> 0:19:45.840000 session ID. This session ID allows the application to in subsequent requests 0:19:45.840000 --> 0:19:51.760000 without requiring reauthentication, maintaining a continuous interaction 0:19:51.760000 --> 0:19:57.360000 or essentially allowing you to use the website in an authenticated state 0:19:57.360000 --> 0:20:04.040000 for a couple of hours or whatever the the timeout duration is set to. 0:20:04.040000 --> 0:20:10.700000 So step two, then step three, part of, you know, the link between authentication 0:20:10.700000 --> 0:20:12.660000 and session management. 0:20:12.660000 --> 0:20:16.120000 You have session management for identity continuity. 0:20:16.120000 --> 0:20:20.820000 So session management maintains the user's authenticated state across 0:20:20.820000 --> 0:20:22.100000 multiple requests. 0:20:22.100000 --> 0:20:23.260000 You already know that. 0:20:23.260000 --> 0:20:25.800000 So why is this important? 0:20:25.800000 --> 0:20:31.000000 This continuity is vital because HTTP, as we explored earlier, the underlying 0:20:31.000000 --> 0:20:35.620000 protocol is stateless and doesn't inherently remember user identities 0:20:35.620000 --> 0:20:37.580000 between requests. 0:20:37.580000 --> 0:20:42.460000 Session management essentially remembers quote unquote the authenticated 0:20:42.460000 --> 0:20:45.120000 user across their session. 0:20:45.120000 --> 0:20:49.900000 And then we have the security of session, the security of sessions post 0:20:49.900000 --> 0:20:53.860000 authentication, so session security in essence. 0:20:53.860000 --> 0:20:58.480000 After authentication, session management ensures that session data and 0:20:58.480000 --> 0:21:00.700000 the session ID remains secure. 0:21:00.700000 --> 0:21:06.440000 So that's the whole idea using the analogy of setting up a security system 0:21:06.440000 --> 0:21:10.920000 to prevent you from having your wristband robbed off off you once you 0:21:10.920000 --> 0:21:12.280000 inside the concept. 0:21:12.280000 --> 0:21:16.480000 So that could be again, in the case of the analogy, having security guards 0:21:16.480000 --> 0:21:21.420000 that are monitoring any potentially nefarious activity like that. 0:21:21.420000 --> 0:21:24.560000 In the case of web applications, it's slightly different. 0:21:24.560000 --> 0:21:28.880000 So, you know, you can have techniques like session timeouts, secure cookies 0:21:28.880000 --> 0:21:33.240000 and token based mechanisms, you know, to essentially help protect the 0:21:33.240000 --> 0:21:39.220000 session from threats such as session hijacking fixation and impersonation, 0:21:39.220000 --> 0:21:45.240000 impersonation being a very important one, as we'll soon be exploring. 0:21:45.240000 --> 0:21:52.140000 And finally, and again, quite important session termination and reauthentication. 0:21:52.140000 --> 0:21:57.220000 So when a user logs out or when the session expires, session management 0:21:57.220000 --> 0:22:02.380000 terminates the session to end the user's authenticated state. 0:22:02.380000 --> 0:22:08.160000 If the user returns, they must re authenticate re re initiating the cycle 0:22:08.160000 --> 0:22:10.480000 of session creation and management. 0:22:10.480000 --> 0:22:15.820000 So in short, authentication identifies the user, while session management 0:22:15.820000 --> 0:22:20.740000 maintains that authenticated identity across the interactions with the 0:22:20.740000 --> 0:22:26.160000 application, ensuring both security and usability throughout the user's 0:22:26.160000 --> 0:22:32.020000 session. And that in a nutshell, is session management and hopefully you've 0:22:32.020000 --> 0:22:35.180000 understood it a little bit better with the multiple analogies that I've 0:22:35.180000 --> 0:22:39.880000 been using. But this diagram here that I generated to show you the link 0:22:39.880000 --> 0:22:44.500000 between yourself, the web application and, you know, the back end or server 0:22:44.500000 --> 0:22:54.160000 side, as well as the relationship between authentication and session management. 0:22:54.160000 --> 0:23:00.500000 You know, in this particular case, this diagram sort of dives into what 0:23:00.500000 --> 0:23:03.700000 you typically see in terms of web application architecture. 0:23:03.700000 --> 0:23:07.920000 So over here, you have yourself or your browser, and you then have the 0:23:07.920000 --> 0:23:11.260000 web application doesn't really matter, you know, what it is, but it is 0:23:11.260000 --> 0:23:15.040000 a web app. And we have the database in the back end. 0:23:15.040000 --> 0:23:19.680000 So right over here, you can see it starts with you sending a login request. 0:23:19.680000 --> 0:23:24.080000 So you log in with your username and password, what happens then the web 0:23:24.080000 --> 0:23:29.160000 application in conjunction with the back end database verifies your credentials. 0:23:29.160000 --> 0:23:33.600000 And you know, it says, yeah, authentication is successful. 0:23:33.600000 --> 0:23:36.700000 All right, now the web app then creates a session ID. 0:23:36.700000 --> 0:23:41.460000 This is session management now and stores it in the cookie or token. 0:23:41.460000 --> 0:23:44.080000 So just keep that in mind. 0:23:44.080000 --> 0:23:48.500000 And then sends the session ID to you or your browser. 0:23:48.500000 --> 0:23:52.540000 And then you once you're logged in can start browsing the website or the 0:23:52.540000 --> 0:23:55.480000 web application in an authenticated state. 0:23:55.480000 --> 0:24:01.220000 And that is facilitated by your cookie that has your session ID or your 0:24:01.220000 --> 0:24:06.780000 token, right? So you send subsequent requests with the same session ID, 0:24:06.780000 --> 0:24:10.780000 your session ID is validated in the back end. 0:24:10.780000 --> 0:24:16.500000 If it is valid or still valid and not expired, whatever request you make, 0:24:16.500000 --> 0:24:19.780000 you'll get the corresponding data. 0:24:19.780000 --> 0:24:23.360000 And as you can see here, provides access to requested resource. 0:24:23.360000 --> 0:24:36.540000 And then you can see over here, when you log out, or when you log in, 0:24:36.540000 --> 0:24:43.320000 and you know, that ends your session or logs you out and requires reauthentication. 0:24:43.320000 --> 0:24:48.580000 So this diagram is sort of an infrastructure diagram that sort of, you 0:24:48.580000 --> 0:24:51.220000 know, if you're a developer, you're familiar with this, it just allows 0:24:51.220000 --> 0:24:55.600000 you to visualize what needs to happen or what happens, you know, when 0:24:55.600000 --> 0:25:06.420000 a user logs in, or, you know, an example of what the ideal some nuances 0:25:06.420000 --> 0:25:08.240000 that I need to clarify. 0:25:08.240000 --> 0:25:12.140000 And some of you may have picked up on them, because I sort of did not 0:25:12.140000 --> 0:25:16.140000 include them in my analogy, but it's best that I go through them right 0:25:16.140000 --> 0:25:20.300000 now. Now, based on everything that I've laid out in these slides and the 0:25:20.300000 --> 0:25:26.800000 examples that I've given, you may be tempted to conflate session management 0:25:26.800000 --> 0:25:31.940000 with authentication, right, or the process of logging in, for example, 0:25:31.940000 --> 0:25:37.120000 however, it is important to note that this is not always the case. 0:25:37.120000 --> 0:25:38.660000 Now, what do I mean by that? 0:25:38.660000 --> 0:25:45.500000 What I mean by that is with web applications, session, you don't need 0:25:45.500000 --> 0:25:51.460000 to log in, or to, you know, try and log in in order for the web application 0:25:51.460000 --> 0:25:56.340000 to essentially give you a session ID. 0:25:56.340000 --> 0:26:01.580000 What you'll typically see nowadays in some modern web applications is 0:26:01.580000 --> 0:26:07.140000 that they immediately, once you visit the web page or the web application 0:26:07.140000 --> 0:26:15.860000 as an anonymous user, they give you a session ID to track anonymous users, 0:26:15.860000 --> 0:26:18.800000 you know, immediately from your very first request. 0:26:18.800000 --> 0:26:24.700000 And this may not be directly related to, you know, your identity per say, 0:26:24.700000 --> 0:26:29.480000 or maintaining that, but it's really used for instances where the web 0:26:29.480000 --> 0:26:34.760000 application has user defined preferences or options. 0:26:34.760000 --> 0:26:40.120000 For example, the language, if your web application has multi language 0:26:40.120000 --> 0:26:44.760000 support and I specify a different language than the default session management 0:26:44.760000 --> 0:26:52.800000 typically ensures that regardless as to, you know, regardless as if you, 0:26:52.800000 --> 0:26:57.340000 regardless of the fact that you may or may not be authenticated, that 0:26:57.340000 --> 0:27:01.620000 language option is preserved until maybe you clear your cookies or something 0:27:01.620000 --> 0:27:05.200000 like that. And those session IDs, or, you know, that cookie will typically 0:27:05.200000 --> 0:27:07.120000 have an expiry as well. 0:27:07.120000 --> 0:27:08.860000 But this is very important. 0:27:08.860000 --> 0:27:12.660000 Another example of this is again, visiting a website and, you know, not 0:27:12.660000 --> 0:27:15.960000 logging in, so you're an anonymous user. 0:27:15.960000 --> 0:27:21.540000 And you change the, you change from light mode to dark mode. 0:27:21.540000 --> 0:27:25.420000 How does the web application know that, you know, when you go on to the 0:27:25.420000 --> 0:27:29.040000 next page, or you navigate around the web application that you want that 0:27:29.040000 --> 0:27:33.100000 maintained? Well, you know, it facilitates this, or this is facilitated 0:27:33.100000 --> 0:27:35.860000 through session management as well. 0:27:35.860000 --> 0:27:40.240000 So I just wanted to let you know that it's not that session management 0:27:40.240000 --> 0:27:46.300000 is exclusive to, you know, just coming into play after authentication. 0:27:46.300000 --> 0:27:52.080000 You know, it can, it's typically used for others, you know, other bits 0:27:52.080000 --> 0:27:57.400000 of accessibility or, you know, usability functionality, you know, that 0:27:57.400000 --> 0:28:01.680000 in some cases will precede authentication. 0:28:01.680000 --> 0:28:07.920000 But mostly to do with user preferences if the website has that built in. 0:28:07.920000 --> 0:28:11.360000 But with that being said, I know we've been going for a while here, but 0:28:11.360000 --> 0:28:14.920000 I really thought it was important to use these different analogies and 0:28:14.920000 --> 0:28:20.720000 examples to help you visualize exactly what it is when I say your session 0:28:20.720000 --> 0:28:23.140000 ID. What does that mean? 0:28:23.140000 --> 0:28:26.400000 And hopefully with the concept analogy, although I know it's pretty, it's 0:28:26.400000 --> 0:28:29.760000 not the best. Hopefully with that analogy, you're able to understand, 0:28:29.760000 --> 0:28:35.300000 you know, what the login form is and what happens after you log in, and 0:28:35.300000 --> 0:28:39.840000 how you're sort of given this session ID and the fact that it's not going 0:28:39.840000 --> 0:28:41.360000 to last forever. 0:28:41.360000 --> 0:28:45.780000 And you're going to need to log in again either because of a timeout or, 0:28:45.780000 --> 0:28:49.400000 you know, if you choose to log out. 0:28:49.400000 --> 0:28:52.360000 But with that being said, that's going to be it for this video. 0:28:52.360000 --> 0:28:55.000000 And I will be seeing you in the next video.