WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is logoff feature necessary

From: "Michael Silk" <michaelslists () gmail com>
Date: Tue, 2 May 2006 21:22:41 +1000
On 2 May 2006 07:41:02 -0000, test.future () gmail com
<test.future () gmail com> wrote:

We have a web applicaiton which do not have logoff button. The developer claims that it
is unnecessary, since the session can be terminated by closing the browser.
Is it correct?


no. browsers may delete 'session' cookies, but if you have your own
cookie, it won't be deleted, and of course the cookie may be set for a
different time period (maybe 20 minutes) thus preventing the browser
from deleting it.

also don't forget that just because the cookie is deleted doesn't mean
the session has ended. if the cookie was intercepted it can still be
used.



Thanks.


you're welcome.

-- Michael

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: