WebApp Sec mailing list archives
Is logoff feature necessary
From: intel96 <intel96 () bellsouth net>
Date: Thu, 04 May 2006 00:07:48 -0400
Having a logoff button is an important feature so that the session will terminated correctly. I tested my online banking portal with my account to see what would happen if I did not used the logoff feature. My bank uses 6 cookies to tracking my access to the portal. Each cookie expires at the end of the session. When I shut my Firefox browser using the "x" all the cookies were saved for the session, but they did not work to get back into the portal. I logon to my banking portal and edited the cookies expiration dates for 24 hours in the future. I than bookmarked my current page and shut down my browser using the "x." When I opened my browser I selected my banking bookmark and up popped by banking information. I tried this exercise every 5 minutes for an hour and it worked each time. I than left the browser closed for 30-minutes, but I was still allowed back in to the session. I tried the same test at 1 hour and I could not get back into the session. The bank was also keeping some type of last login information in one of the cookies because my login timestamp never changed until the session expired at the server. The funny thing here is that if I do not have any activity within my banking portal my session will expired within 15 minutes, but if I play with the cookie timestamps I can stay offline for 30 minutes and still get back into the session. One thing the logoff button should do is clear the cookies that were sent to the browser. The developer should also look for the browser close event to clear the cookies even if that event comes from the "x" or the exit in the menu. Intel96 ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Re: Is logoff feature necessary, (continued)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)
- RE: Is logoff feature necessary Currey, Mick A (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)
- Re: Is logoff feature necessary Michael Silk (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 10)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 11)
- Re: Is logoff feature necessary Michael Silk (May 11)
- Re: Is logoff feature necessary Adam Tuliper (May 12)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 12)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)