Some protocols (such as IMAP and POP) are session-oriented protocols: a client application establishes a connection with a server, provides the data needed to authenticate the user, processes the data (mailboxes, settings, etc.) in the user account, and then closes the connection. The HTTP protocol is not a session-oriented one: a Web browser establishes a connection, sends one or several page requests, receives the requested data, and closes the connection.
To provide the session-type functionality, the WebUser module implements a so-called application server: when a user is authenticated via the "login page", a virtual session is created. The virtual session is an internal server data structure keeping the information about the user, open mailboxes, and other session-related data, but it is not linked to any particular network connection. When the user is working with an account using a browser, the WebUser module routes browser requests to one of the already opened virtual sessions.
In order to route requests properly, the WebUser module creates a unique session identifier (session ID) for each virtual session created and makes user browsers include the session ID into every request they send.
To avoid "hijacking" of WebUser sessions, the WebUser module remembers the network (IP) address from which the login request was received, and routes to the session only the requests received from the same IP address.
Note: Sometimes, when a user connects via a proxy server, the user requests may come to the Server from different IP addresses (if the proxy server uses several network addresses). In this case, the user should disable the address-controlling option on the WebUser Interface Settings page. Users of some large providers access the Internet via the provider's proxy servers, so their accounts should have the address-controlling option disabled. Alternatively, enter the provider proxy IP addresses as a range into the NAT Server IP Addresses list. All network IP addresses that belong to the same range in that list are treated as "same".
Usually, users start WebUser sessions by entering their Account names and passwords into the WebUser Interface login page fields. This is a "clear text" login method, and it is secure only when the page is accessed via secure (SSL/TLS) connection (via the https:// URL).
Alternatively, users can retrieve the /login/ URL on your Server. The Server will require an HTTP-level Authentication, and the browser will either present the Authentication dialog box, or it will send the user's Certificate if a secure (SSL/TLS) connection is used.