Consider another carelessly written web application which uses a servlet that

checks if there was an active session but does not check if the user is autho$-$

rized to access that page, instead depending on the fact that a link to the page is

shown only to authorized users. What is the risk with this scheme? $($There was

a real instance where applicants to a college admissions site could, after logging

into the web site, exploit this loophole and view information they were not au$-$

thorized to see; the unauthorized access was, however, detected, and those who

accessed the information were punished by being denied admission.$)$