The session management process covers a wide range of user controls from authentication to leaving the application. HTTP is a stateless protocol, which means that web servers respond to client requests without establishing a continuous connection to it. Therefore, even a simple application requires the user to send multiple requests before a session is associated with it. This is most often done through an appropriate identification token, referred to as a session ID or cookie. Examine how the application manages the session and whether there is a possibility of a disorder of the process. The image below shows a POST request to the application server for user authentication.
In the next figure, you can see the server response that sets the USER's ASPXUSERWU token to serve as the session ID.
Each subsequent request to the server is sent with a predetermined session token as shown in the graphic below.
