A session begins with an authentication event and refers to all the subject’s activities that take place during its establishment, maintenance, and release.  Web sessions are typically maintained through a session identifier transmitted back and forth between the client and the webserver. Which of the following is not an option to manage the session? (Source: Wentz QOTD)
A. HTTP cookies
B. HTTP requests
C. HTTP status code
D. HTML hidden inputs

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. HTTP status code.

The HTTP response status code is normative. It’s uncommon to customize the status code to maintain states.

Source: Jose I Santa Cruz G

HTTP Requests

Web browsers send HTTP requests to the web server, which in turn sends HTTP responses back. The following image demonstrates two HTTP messages: an HTTP request and HTTP response.

HTTP Request

• The first line of an HTTP request is the URL, e.g., GET / HTTP/1.1.
• HTTP requests shall send the cookies they have received back to the web server. The following header in the HTTP request is a good example:
  Cookie: csrf token=DPwpZuh X08zx910UP L4yXwXKZrMnzD

Source: http://www.lexev.org

HTTP Response

• The first line of an HTTP response is the HTTP response status code, e.g., HTTP 1.0 OK 200.
  • Informational responses (100–199)
  • Successful responses (200–299)
  • Redirects (300–399)
  • Client errors (400–499)
  • Server errors (500–599)
• The HTTP response status code is normative. It’s uncommon to customize the status code.

HTTP Cookies

• Web browsers passively receive HTTP cookies from the web server; they shall send the cookies they have received back to the web server that sent the cookie (same-origin policy).
• A web server sends a cookie (a collection of key-value pairs) to the web browser through the HTTP response header, Set-Cookie, with some parameter or condition.
  • HttpOnly: Front-end developers or UX designers are not authorized to access the cookie through JavaScript. The cookie is solely controlled by the web browser.
  • Secure: The web browser shall send the cookie back if and only if a secure channel is established, e.g., TLS/SSL.
  • Expires or Max-Age is all about the lifetime of the cookie. If not specified, the cookie will be cleared once the web browser is closed.

HTML Hidden Inputs

• Stateless: HTTP, in nature, is connectionless and the web server is stateless. In other words, a web server typically doesn’t maintain the connections from web browsers to be scalable. The web server closes the TCP connection after the HTTP request is processed.
• HTML hidden inputs: It’s a common practice for application developers to manage states using HTML hidden inputs. Sustaining states at the client side offloads the web server. For a web server to maintain millions of client states is a bad idea, while requiring millions of clients to maintain and inform the web server of their states is a common and scalable practice.

Source: CHRISTOS S

Reference

• HTTP response status codes
• API calls and HTTP Status codes
• Session Management Cheat Sheet
• Authentication Cheat Sheet
• Set-Cookie
• Listen wifi with wireshark
• ASP.NET Viewstate, Session, Application Variable
• State Management in ASP.NET (ViewState, SessionState & ApplicationState)