iTP Secure WebServer System Administrators Guide (Version 7.5+)
10 Administering Session Identifiers for Anonymous Sessions
This section describes how to set up the iTP Secure WebServer to use Session Identifiers for
anonymous ticketing. Topics discussed in this section include:
• “Anonymous Ticketing” (page 170)
• “Tracking” (page 170)
• “Ticketing and Tracking Example” (page 171)
• “Configuring for Anonymous Ticketing” (page 172)
• “Using Session Identifiers for Reporting” (page 180)
• “Using Tcl Variables for Anonymous Sessions” (page 180)
Anonymous Ticketing
Anonymous ticketing enables you to track accesses to your website—that is, determine how
frequently resources are accessed and by whom.
A ticket is a string of characters that uniquely identifies a user and specifies what resources the
user is permitted to access. The ticket is protected by a message authentication code (MAC), which
makes the ticket nearly impossible to duplicate or change.
There are various formats for tickets: the iTP Secure WebServer uses a type of ticket known as a
Session Identifier.
A Session Identifier is a short string of characters preceded by two at signs (@@). For example:
@@Fz3H78Og56kCSf2s
Encoded within this string are:
• A message authentication code (MAC)
• A user ID that uniquely identifies the user
• A group ID that indicates what information the user is authorized to access
• An expiration time signifying for how long the ticket is valid
A user acquires a ticket implicitly on the first request for a resource. Thereafter, the Web client
automatically transmits the ticket with any subsequent request. A single ticket, therefore, can be
used for multiple requests.
Tracking
Conventional Web technology makes tracking a single user through a website difficult. The HTTP
protocol treats every request for a Web resource as a separate, independent connection. For
example, if a user requests a Web page that contains four graphics files, the server interprets the
request as five independent requests—one for the HTML file and one each for the four graphics
files. The server receives little information to indicate that all five requests originated from the same
user. The server does receive the IP address of the requesting browser, but this can be misleading
because many users might have the same perceived IP address when proxy servers are being
used.
For content providers, this situation makes analyzing how users are accessing their Web pages
difficult. Although the number of accesses (hits) to each file can be counted, it is difficult to know
how many of those hits were made by the same user. In addition, you cannot track a single
individual's access pattern—that is, which URLs the user requested and in what order.
Ticketing identifies a user for a specified duration so user activities can be tracked throughout a
single Web session or across multiple sessions.
170 Administering Session Identifiers for Anonymous Sessions