WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Is logoff feature necessary

From: intel96 <intel96 () bellsouth net>
Date: Thu, 04 May 2006 00:07:48 -0400
Having a logoff button is an important feature so that the session will terminated correctly.  I tested my online 
banking portal with my account to see what would happen if I did not used the logoff feature.

My bank uses 6 cookies to tracking my access to the portal.  Each cookie expires at the end of the session.  When I 
shut my Firefox browser using the "x" all the cookies were saved for the session, but they did not work to get back 
into the portal.  

I logon to my banking portal and edited the cookies expiration dates for 24 hours in the future.  I than bookmarked my 
current page and shut down my browser using the "x."  When I opened my browser I selected my banking bookmark and up 
popped by banking information.  I tried this exercise every 5 minutes for an hour and it worked each time.  I than left 
the browser closed for 30-minutes, but I was still allowed back in to the session.  I tried the same test at 1 hour and 
I could not get back into the session.  The bank was also keeping some type of last login information in one of the 
cookies because my login timestamp never changed until the session expired at the server.  

The funny thing here is that if I do not have any activity within my banking portal my session will expired within 15 
minutes, but if I play with the cookie timestamps I can stay offline for 30 minutes and still get back into the 
session.  

One thing the logoff button should do is clear the cookies that were sent to the browser.  The developer should also 
look for the browser close event to clear the cookies even if that event comes from the "x" or the exit in the menu.

Intel96









-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: