For user account control, a user is expected to log in and authenticate using a password. For example, when you log in to your Webmail account, you enter your password upon visiting the page. Thereafter, all your actions are taken as authenticated; that is, you do not have to enter your password again when you send an e-mail. The Webmail client remembers that you are logged in, and you are therefore allowed to complete certain actions.
However, HTTP is a stateless protocol, which means that we have no direct way of knowing that the user who logged in is the same user who made the request to send an e-mail. As a workaround for this problem, we will give the user a cookie when he or she logs in initially, and the user's browser will then send this cookie to us with every subsequent request. We'll use our database to keep track of which users are currently logged in. This allows us to authenticate the user for every request without requesting the...