WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: André Gil <andregil () di fct unl pt>
Date: Tue, 2 May 2006 11:03:32 +0100
Actually this depends on whether you control the access media to your application and even if you do it still poses some threat level. Let's say the only access is from office computers. If your security plan states that you blindly trust all of your employees and if there's no external access (not employees) to the computers physically then there's no security problem. Now is it realistic to trust employees? If your web application is accessible from public computers then log off should be a needed feature because people not always close their browsers in order to end a session. What if on a public computer the user forgets the browser opened? If you have a log off feature and they don't use it then you can always say that the user executed the actions even if it was someone else. That way you will have a solution against that threat. Of course this depends on your politics. It might be wiser to implement some kind of log off button and on sign in a mechanism where you ask the user if she is using a public or personal computer. If on a public you show the log off button if on a personal you can maintain the session till browser closing. Of course this still poses some threats. Another subject you need to consider is if your application will be widely used do you want to spend memory with sessions not in use? Well those was just my two cents. André -----Original Message----- From: test.future () gmail com To: webappsec () securityfocus com Sent: 02-05-06 08:41 Subject: Is logoff feature necessary We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the session can be terminated by closing the browser. Is it correct? Thanks. ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- RE: Is logoff feature necessary, (continued)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Administrivia: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Keith Duffin (May 03)
- Re: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary M. Burnett (May 03)
- Re: Is logoff feature necessary Robert Hajime Lanning (May 03)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)
- RE: Is logoff feature necessary Currey, Mick A (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)