Under normal conditions, web servers do not attempt to recognize any relationship between separate web page requests. However, when those requests originate from the same browser, the requests may be part of a single transaction or session. When the transaction or session is intended to be secure and/or continuous, such as in the case of a commercial transaction where login and password information has been provided through the browser and product or service selections have been made through the browser from various web pages, the web server must be capable of identifying requests that come from the same browser. Session management is used to relate Hypertext Transfer Protocol (HTTP) requests originating from the same browser.
Typically, a session token is transmitted between the browser and the web server. The session token may be stored in a cookie, passed through static URLs, hidden in a web page, or otherwise communicated back and forth.
A security problem that arises with the use of session tokens is the possibility of a third party “hijacking” a session by discovering the session token and transmitting a web page request to the web server using the session token, thereby impersonating the legitimate browser.
Another problem that arises with the use of session tokens occurs in larger web server installations operating on multiple servers. The multiple servers may share resources and balance the load in a “web farm”. A web farm may contain servers that run on different platforms. This presents a problem for session management in that the platforms may have different encoding techniques and a session token generated by one web server in relation to a particular web page will not necessarily be recognized by a second web server in the web farm when the browser requests a new web page that is located on the second web server.