|
Web Application Security
Is logoff feature necessary May 02 2006 07:41AM test future gmail com (14 replies) Re: Is logoff feature necessary May 02 2006 08:06PM Robert Hajime Lanning (robert lanning gmail com) RE: Is logoff feature necessary May 02 2006 12:40PM Rod Divilbiss (rod rodsdot com) (1 replies) RE: Is logoff feature necessary May 03 2006 10:59AM Auri Rahimzadeh (auri auri net) (2 replies) Administrivia: Is logoff feature necessary May 03 2006 12:53PM Andrew van der Stock (vanderaj greebo net) Re: Is logoff feature necessary May 02 2006 09:32AM Luciano Miguel Ferreira Rocha (strange nsk no-ip org) |
|
|
Privacy Statement |
do this, but what happens if you don't close the browser but just move on to
another web site? It would be pretty simple to use the back button or
perhaps something like a cross-site scripting attack to pick up a session
token.
Or what if you are using a tab-based browser and just close the tab rather
than closing the browser itself? Will the session still end?
The main reason I like providing a logoff button is to force a token to
invalidate for those times you want to be sure you are logged off--such as
when using a shared pc. There are things attackers can use, such as token
keep-alive techniques, combined with other techniques, that allow them to
take over an old session. Forcing a session to die helps protect you if
someone else somehow got your session token. And there are many, many ways
that others can obtain your session token.
Having said all that, even if the developer added a logoff button, I suspect
that few users would actually use it. And there are many techniques to help
secure sessions tokens even if someone doesn't explitely log off. For
example, session tokens should always have relative as well as absolute
timeouts to prevent someone from keeping a session alive indefintely.
Allowing a log off is not going to stop attacks that target session tokens.
But then again, is it really that hard to add a button?
Mark Burnett
> -----Original Message-----
> From: test.future (at) gmail (dot) com [email concealed] [mailto:test.future (at) gmail (dot) com [email concealed]]
> Sent: Tuesday, May 02, 2006 1:41 AM
> To: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Is logoff feature necessary
>
> We have a web applicaiton which do not have logoff button.
> The developer claims that it is unnecessary, since the
> session can be terminated by closing the browser. Is it
> correct? Thanks.
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks Hackers
> continue to add billions to the cost of doing business online
> despite security executives' efforts to prevent malicious
> attacks. This whitepaper identifies the most common methods
> of attacks that we have seen, and outlines a guideline for
> developing secure web applications.
> Download this whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70130
0000007t9r
> --------------------------------------------------------------
> ------------
>
------------------------------------------------------------------------
-
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
------------------------------------------------------------------------
--
[ reply ]