The Web Server security model is based on an authenticated user session. Once a session has been created, the application user is authenticated if authentication is used and is logged into the session.
Additionally, you can specify that a session cookie is only passed on an HTTPS secured connection , so the session can only remain active on a secure channel.
For more information about security, see Chapter 8, Securing Web Applications.