Let's revisit the Alice Bob Charles attack. Bob began his application session on eWebMail with his own identity. He had no idea what password Alice used. However, he was able to understand and eventually outwit the session state mechanism used by eWebMail. Halfway through his session, he replaced his user credentials with those of Alice, and impersonated her. Oversights and a lack of understanding about the problems caused by poor session management allowed this attack to take place.