CISSP PRACTICE QUESTIONS – 20200818

Effective CISSP Questions

A session begins with an authentication event and refers to all the subject’s activities that take place during its establishment, maintenance, and release.  Web sessions are typically maintained through a session identifier transmitted back and forth between the client and the webserver. Which of the following is not an option to manage the session? (Source: Wentz QOTD)
A. HTTP cookies
B. HTTP requests
C. HTTP status code
D. HTML hidden inputs


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. HTTP status code.

The HTTP response status code is normative. It’s uncommon to customize the status code to maintain states.

HTTP Requests

Web browsers send HTTP requests to the web server, which in turn sends HTTP responses back. The following image demonstrates two HTTP messages: an HTTP request and HTTP response.

HTTP Request

  • The first line of an HTTP request is the URL, e.g., GET / HTTP/1.1.
  • HTTP requests shall send the cookies they have received back to the web server. The following header in the HTTP request is a good example:
    Cookie: csrf token=DPwpZuh X08zx910UP L4yXwXKZrMnzD

HTTP Response

  • The first line of an HTTP response is the HTTP response status code, e.g., HTTP 1.0 OK 200.
    • Informational responses (100–199)
    • Successful responses (200–299)
    • Redirects (300–399)
    • Client errors (400–499)
    • Server errors (500–599)
  • The HTTP response status code is normative. It’s uncommon to customize the status code.

HTTP Cookies

  • Web browsers passively receive HTTP cookies from the web server; they shall send the cookies they have received back to the web server that sent the cookie (same-origin policy).
  • A web server sends a cookie (a collection of key-value pairs) to the web browser through the HTTP response header, Set-Cookie, with some parameter or condition.
    • HttpOnly: Front-end developers or UX designers are not authorized to access the cookie through JavaScript. The cookie is solely controlled by the web browser.
    • Secure: The web browser shall send the cookie back if and only if a secure channel is established, e.g., TLS/SSL.
    • Expires or Max-Age is all about the lifetime of the cookie. If not specified, the cookie will be cleared once the web browser is closed.

Browser Cookies

HTML Hidden Inputs

  • Stateless: HTTP, in nature, is connectionless and the web server is stateless. In other words, a web server typically doesn’t maintain the connections from web browsers to be scalable. The web server closes the TCP connection after the HTTP request is processed.
  • HTML hidden inputs: It’s a common practice for application developers to manage states using HTML hidden inputs. Sustaining states at the client side offloads the web server. For a web server to maintain millions of client states is a bad idea, while requiring millions of clients to maintain and inform the web server of their states is a common and scalable practice.
statemanagement_02

Source: CHRISTOS S

Reference


會話(Session)以身份驗證事件開始,且泛指主題在建立、維護和釋放期間發生的所有活動。 Web會話通常通過在客戶端和Web服務器之間來回傳輸的會話識別(Session ID)來維護。 以下哪個不是管理會話的選項? (來源:Wentz QOTD)
A. HTTP cookies
B. HTTP requests
C. HTTP status code
D. HTML hidden inputs


A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

 

Leave a Reply