For user account control, a user is expected to log in and authenticate using a password. For example, when you log in to your Webmail account, you enter your password upon visiting the page. Thereafter, all your actions are taken as authenticated; that is, you do not have to enter your password again when you send an e-mail. The Webmail client remembers that you are logged in, and you are therefore allowed to complete certain actions.

However, HTTP is a stateless protocol, which means that we have no direct way of knowing that the user who logged in is the same user who made the request to send an e-mail. As a workaround for this problem, we will give the user a cookie when he or she logs in initially, ...