Fortinet 35 FortiWeb 5.0 Patch 6 Administration Guide
At each time, some inputs/actions are known to be valid and possible, while others are not.
Without memory of history to define the current context, which actions are valid and
possible, and therefore how it should function, cannot be known.
When software cannot function without memory, it is stateful. Many important features —
denying access if a person is not currently logged in, for example, or shipping what has been
added to a shopping cart — are stateful, and therefore can’t be supported by purely stateless
HTTP according to the original RFC. Such features require that web apps augment the HTTP
protocol by adding a notion of session memory via:
• Cookies per RFC 2965
• Hidden inputs
•Server-side sessions
• Other means (see “Authentication styles” on page 221)
Because memory is an accumulation of input, sessions have security implications.
• Can a different client easily forge another’s session?
• Are session IDs reused in encrypt form data, thereby weakening the encryption?
• Are session histories used to check for invalid next URLs or inputs (state transitions)?
When sessions are not protected to prevent misuse, software can be used in unexpected
ways by attackers.
For example, let’s say there is a vending machine. You must insert money first. If you:
• insert a paper clip instead of a coin
• press the button for a snack before you have inserted enough money
• press the button to return your money before you have inserted any money
the machine will do nothing. The machine is designed so that it must be in the state where it
has received enough money before it will dispense the snack (or return your change).
Figure 2: State transitions in a vending machine
If the vending machine had no notion of states, it would dispense free snacks or change —
regardless of wh ether it had received any money.
While free snacks might make some hungry people happy, it is not the intended behavior. We
would say that the vending machine is broken.