WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: "Popowycz, Alex" <Alex.Popowycz () fmr com>
Date: Tue, 2 May 2006 08:18:34 -0400
It depends on the session state mechanism used and whether it's server or browser side (e.g. cookies). But in any event, having a logout ensures a cleaner / complete logout. Say the user has multiple browser windows open in a given instance. They may (errantly) conclude that closing the window of the site they wish to log out of will actually log them out when it won't. Also, for sessions managed by the host (e.g. session keys, etc) closing out the browser, even completely, still leaves the opening of a replay attack out of the browser cache (if the session variables are carried as query string parameters) which can be common in shared used environments like kiosks, library computers, etc. -----Original Message----- From: test.future () gmail com [mailto:test.future () gmail com] Sent: Tuesday, May 02, 2006 3:41 AM To: webappsec () securityfocus com Subject: Is logoff feature necessary We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the session can be terminated by closing the browser. Is it correct? Thanks. ------------------------------------------------------------------------ - Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- RE: Is logoff feature necessary, (continued)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary M. Burnett (May 03)
- Re: Is logoff feature necessary Robert Hajime Lanning (May 03)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)
- RE: Is logoff feature necessary Currey, Mick A (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)
- Re: Is logoff feature necessary Michael Silk (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 10)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 11)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)
(Thread continues...)