iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)
iTP Secure WebServer System Administrator’s Guide—522659-001
11-1
11
Administering Session Identifiers for
Anonymous Sessions
This section tells you how to set up the iTP Secure WebServer to use Session Identifiers
for anonymous ticketing.
Anonymous Ticketing
Anonymous ticketing allows you to track accesses to your web site—that is, determine
how frequently resources are accessed and by whom.
A ticket is a string of characters that uniquely identifies a user and specifies what
resources the user is permitted to access. The ticket is protected by a message
authentication code (MAC), which makes the ticket nearly impossible to duplicate or
change.
There are various formats for tickets: the iTP Secure WebServer uses a type of ticket
known as a Session Identifier.
A Session Identifier is a short string of characters preceded by two at signs (@@). For
example:
@@Fz3H78Og56kCSf2s
Encoded within this string are the following:
•
A message authentication code (MAC)
•
A user ID that uniquely identifies the user
•
A group ID that indicates what information the user is authorized to access
•
An expiration time signifying for how long the ticket is valid
A user acquires a ticket implicitly on the first request for a resource. Thereafter, the web
client automatically transmits the ticket with any subsequent request. A single ticket,
therefore, can be used for multiple requests.
Tracking
Conventional web technology makes tracking a single user through a web site difficult.
The HTTP protocol treats every request for a web resource as a separate, independent
connection. For example, if a user requests a web page that contains four graphics files,
the server interprets the request as five independent requests—one for the HTML file
and one each for the four graphics files. The server receives little information to indicate
that all five requests originated from the same user. The server does receive the IP
address of the requesting browser, but this can be misleading because many users may
have the same perceived IP address when proxy servers are being used.