WebApp Sec mailing list archives

RE: Is logoff feature necessary

From: "Auri Rahimzadeh" <Auri () auri net>
Date: Wed, 3 May 2006 09:22:57 -0500

Keep in mind that from what I've seen simply closing ONE browser window when more than one is open doesn't 
automatically clear/invalidate the session. Both IE and Firefox generally keep those cookies around until ALL windows 
have been closed. This happens a lot in an application I'm working on now - users complain the wrong data is coming up, 
and they think closing that one window will fix things. Nope - they have to close all of them. It usually turns into a 
"well, I rebooted and it worked", when all that did was close all their windows. This would be an interesting issue 
should some adware/malware keep a window open off-screen, or where the user didn't see it. I'd be interested to know if 
there's a trick to force the cookie to be removed when you close a single window when multiple windows are open, other 
than using Javascript to do it.

Thanks again!

Best,

Auri Rahimzadeh
Author
Hacking the PSP
www.hackingpsp.com

---------- Original Message ----------------------------------
From: Keith Duffin <kduffin () duffin org>
Date:  Wed, 3 May 2006 08:45:46 -0400 (EDT)

What about instances where an identity framework is used, such as CA's
Siteminder or IBM's Identity Mangament Suite?  Closing the browser will
result in the session begin invalidated - I'm not sure if that cascades to
releasing other resources or not.

On Wed, 3 May 2006, Auri Rahimzadeh wrote:

In addition, having the session state continues to reserves those resources
on the server. So, if there were open recordsets in memory (bad developer!),

(truncated)


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------

Current thread:

Re: Is logoff feature necessary, (continued)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)
- RE: Is logoff feature necessary Currey, Mick A (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)
  - Re: Is logoff feature necessary Michael Silk (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 10)
  - RE: Is logoff feature necessary Rod Divilbiss (May 11)
    - RE: Is logoff feature necessary Auri Rahimzadeh (May 11)
    - Re: Is logoff feature necessary Michael Silk (May 11)
    - Re: Is logoff feature necessary Adam Tuliper (May 12)
    - RE: Is logoff feature necessary Auri Rahimzadeh (May 12)

(Thread continues...)