In the last two posts, we've talked about access control (authorization) and session management. Today we'll look at the final component that ties these two together into a coherent web application security approach: authentication. After all, it's nearly pointless to have strong access control and session management when there is insufficient authentication taking place to ensure users are who they claim to be.

Authentication is required for all non-public parts of an organization's website. In some cases it may only be used to make a simple yes/no decision: for example, many subscription services really only care that you're on the list of subscribers. In other cases, there may be complex application and/or business logic associated with the access rules and user roles within the application. Authentication is not only important for access control purposes, but also for logging and non-repudiation in the future.

Last time, we talked about access control, which typically happens once a user is authenticated and a session is established. Today, we'll go into more details on the session management processes itself. I was originally going to include authentication in this discussion as well, but the blog entry started getting really long. I will write a separate post on authentication issues next time, and for now we'll talk about web application session management.