WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is logoff feature necessary

From: "Robert Hajime Lanning" <robert.lanning () gmail com>
Date: Tue, 2 May 2006 13:06:41 -0700
This depends.  Are you using HTTP authentication, or do you have an
HTML form based
login with a session ID?

HTTP authentication has no "logout" capabilities.  Every HTTP request
contains the
username and password in it.  You must close the browser to have the
browser forget
the username/password.

If you are handling the authentication yourself within the
application, using an HTML
form, then you are keeping a session state within the application. The HTTP request 
passes a session ID in some form (either embedded in the URL or as an
HTTP Cookie.)
Expiring the cookie on the client is not the only thing that needs to
happen.  The
session in the application needs to be closed out.  Otherwise someone
else will be
able to hijack the session.

On 2 May 2006 07:41:02 -0000, test.future () gmail com
<test.future () gmail com> wrote:

We have a web applicaiton which do not have logoff button. The developer claims
that it is unnecessary, since the session can be terminated by closing the browser.
Is it correct? Thanks.


--
And, did Guloka think the Ulus were too ugly to save?
                                        -Centauri

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: