CISSP PRACTICE QUESTIONS – 20210108

A session is a temporary logical connection between two end-user application processes for message exchange. Which of the following statements about the session is not true?
A. The session layer in the ISO OSI model maps to the application layer in TCP/IP.
B. The establishment of a session is independent of underlying transports.
C. The RESTful-style architecture prescribes how a session is managed.
D. A session can maintain state information even if the transport is connectionless.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. The RESTful-style architecture prescribes how a session is managed.

“Representational state transfer (REST) is a software architectural style that defines a set of constraints to be used for creating Web services.”

Source: Wikipedia

The RESTful-style architecture doesn’t prescribe how a session is managed, specifically how a session is established, maintained, and closed. Instead, it defines constraints imposed on the software architecture such as client-server architecture, statelessness, cacheability, layered system, code on demand (optional), and uniform interface.

The most well-known REST feature is the standardization of CRUD operations (create, retrieve, update, and delete) on data as the following diagram shows:

RESTful API for CRUD (Source: VIKRAMVI KNOWLEDGE SHARING)

ISO OSI Model and TCP/IP Mapping

ISO OSI Model and TCP/IP

What is a Session?

There are various definitions of session across contexts. From the ISO OSI model and TCP/IP perspective, a session can be defined as a temporary logical connection between two end-user application processes for message exchange. It’s commonly referred to as a user or application session.

Transport Protocols

The establishment of a session is independent of underlying transports. Where there is a session, there is an application. Any appropriate protocol can support an application. It doesn’t have to be TCP or UDP. For example, a session can start with authentication, which can be completed in any transport protocol, e.g., TCP, UDP, NetBEUI, to name a few.

State Information

Session State Architecture (Source: Abhijit Jana)

A session can maintain state information even if the transport is connectionless. The state information can be transmitted between the client and the server and persisted at either the client or the server. It doesn’t matter if the underlying transport protocols or transports are connection- or connectionless-oriented.

In a stateless communication supported by connectionless-oriented transports, the state information may not be actually transmitted; it typically relies on the client’s presenting the Session ID for the server to retrieve the persisted version on the server. HTTP cookies, HTML inputs, and the URL query string are common mechanisms used to transmit the state information and the session ID in web applications.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

會話(session)是兩個終端用戶應用程式進程(process)之間,用於訊息交換的臨時性邏輯連接。以下那個有關會話的陳述是不正確的?
A. ISO OSI模型中的會話層映射到TCP/IP中的應用層。
B. 會話的建立與底層的傳輸協定無關,例如:TCP或UDP。
C. RESTful風格的架構規定了如何管理會話。
D. 即使底層的傳輸協定為非連接導向,會話也能維護狀態(state)信息。

Leave a Reply