WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: Keith Duffin <kduffin () duffin org>
Date: Wed, 3 May 2006 08:45:46 -0400 (EDT)
What about instances where an identity framework is used, such as CA's Siteminder or IBM's Identity Mangament Suite? Closing the browser will result in the session begin invalidated - I'm not sure if that cascades to releasing other resources or not. On Wed, 3 May 2006, Auri Rahimzadeh wrote:
In addition, having the session state continues to reserves those resources on the server. So, if there were open recordsets in memory (bad developer!), login information, database connections, they all stay there. All closing the window does (and this assumes you have closed *all* browser windows, not just the one window that was being used), is tell the browser to destroy the cookie on the client. This is my no means secure, as has been pointed out by those questioning "what if the session key is in the querystring", which is generally frowned upon due to session hijacking attacks and replay attacks. The performance issue is very real. Imagine a server with 1000 users logging on in 20 minutes (probably an ASP scenario, and assuming the server is set up to time out sessions in 20 minutes, which is pretty standard). If each of them has 100K of session data (developers usually use it for convenience and for variable/data persistence), that's 100,000K (100 megs), used on the server. Now 10,000 users? 1 gig... Vertical and horizontal scaling gets expensive. In addition, the resources you normally need to release per session aren't released, so you could run out of available database pool connections, have open hooks on files, and so forth, and basically break your app. This only gets worse with servers with even longer session timeouts. I've never had a client *not* want a logoff button in their site specs, although they many times forget to ask for one since they're so used to it. I ask about putting one in and they usually say "of course!" Keep in mind that users many times may just close their windows instead of logging out. But many *will* logout, just to be safe/sure. Ahh, yes, another note: Session variables can be the bain of a developer's existence, just like cookies. If the wrong data is persisted, and the developer assumes a session key or cookie doesn't exist, and reads it without first making sure it's not from an old session or invalid data, things can get very, very messy (and darn hard to debug). Thanks again! Best, Auri Rahimzadeh Author Hacking the PSP www.hackingpsp.com -----Original Message----- From: Rod Divilbiss [mailto:rod () rodsdot com] Sent: Tuesday, May 02, 2006 8:40 AM To: test.future () gmail com Cc: webappsec () securityfocus com Subject: RE: Is logoff feature necessary Closing the browser will cause the session to end. It will however takes some amount of time (usually 20 minutes) for the session to be terminated by the server. It may be possible for the user to reopen their browser before the session times out and reestablish the session. (Depends on how session state is maintained and how the web application is written.) Having a logoff button which explicitly kills the session is not a bad thing. -----Original Message----- From: test.future () gmail com [mailto:test.future () gmail com] Sent: Tuesday, May 02, 2006 2:41 AM To: webappsec () securityfocus com Subject: Is logoff feature necessary We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the session can be terminated by closing the browser. Is it correct? Thanks. ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Re: Is logoff feature necessary, (continued)
- Re: Is logoff feature necessary Daniel Persson (May 03)
- Re: Is logoff feature necessary Peter Conrad (May 03)
- Re: Is logoff feature necessary Luciano Miguel Ferreira Rocha (May 03)
- Re: Is logoff feature necessary ViersOnline (May 03)
- RE: Is logoff feature necessary Deepu Thomas Philip (May 03)
- Re: Is logoff feature necessary Michael Silk (May 03)
- Re: Is logoff feature necessary Dave Ferguson (May 03)
- RE: Is logoff feature necessary Rod Divilbiss (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Administrivia: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Keith Duffin (May 03)
- Re: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary M. Burnett (May 03)
- Re: Is logoff feature necessary Robert Hajime Lanning (May 03)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)