The session management process covers a wide range of user controls from authentication to leaving the application. HTTP is a stateless protocol, which means that web servers respond to client requests without establishing a continuous connection to it. Therefore, even a simple application requires the user to send multiple requests before a session is associated with it. This is most often done through an appropriate identification token, referred to as a session ID or cookie. Examine how the application manages the session and whether there is a possibility of a disorder of the process. The image below shows a POST request to the application server for user authentication.
![POST request to the application server for user authentication](https://sp-ao.shortpixel.ai/client/to_auto,q_lossy,ret_img,w_661,h_509/https://my127001.pl/wp-content/uploads/2019/01/logowanie.png)
In the next figure, you can see the server response that sets the USER's ASPXUSERWU token to serve as the session ID.
![server response that sets an ASPXUSERWU token for the user to serve as the session ID](https://sp-ao.shortpixel.ai/client/to_auto,q_lossy,ret_img,w_661,h_529/https://my127001.pl/wp-content/uploads/2019/01/odpowiedzlogowanie.png)
Each subsequent request to the server is sent with a predetermined session token as shown in the graphic below.
![request to the server is sent together with a predetermined session token](https://sp-ao.shortpixel.ai/client/to_auto,q_lossy,ret_img,w_657,h_357/https://my127001.pl/wp-content/uploads/2019/01/sesja.png)