WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: "Rod Divilbiss" <rod () rodsdot com>
Date: Wed, 10 May 2006 19:54:47 -0500
I am a little confused about the comments regarding a "standard" regarding logging off. Web application developers can only dream about standards in any event. What we have are recommendations not standards. A quick examination will reveal that the developers of web browsers make decisions to support, ignore, or even add proprietary extensions to the W3C recommendations. Any semi-literate programmer can make a browser which ignores any and all recommendations from the W3C. Therefore, relying on the browser to implement any recommendation (or "standard") would be a poor application programming choice. Creating a method to grant or deny a browser client access to portions of a web based application based on if the client is authenticated and authorized (logged on) or has requested termination (logged off) must be accomplished by the application, not the browser. In that HTTP is a connectionless protocol, any method used will be dependent in a large part on how the application maintains session state. Any state management method which relies on the browser doing something (accepting a cookie) or not doing something (not caching a page) will not be 100% reliable in that the application has no control over the client. If the state mechanism requires a token to be saved on the client side, you can not assume any instruction directed at the browser will be obeyed by the browser. E.g. the browser can ignore instructions not to cache a page and can ignore instructions to delete a session cookie. All you can do is attempt to identify the client browser using a client side token. Only the web application itself can decide if the state of the client identified by the client side token is currently logged on or logged off. As long as you do not use client side methods to determine the state of "logged on" or "logged off" the log off functionality is trivial. No standard browser behavior can be trusted in this regard. Regards, Rod -----Original Message----- From: Auri Rahimzadeh [mailto:Auri () auri net] Sent: Wednesday, May 10, 2006 12:16 PM To: auri () auri net; Rod Divilbiss; test.future () gmail com; Matt Fisher Cc: webappsec () securityfocus com Subject: RE: Is logoff feature necessary Since there is no standardized logoff/logout mechanism defined (someone please tell me if I'm wrong!), it would be insanely difficult to assume the browser could log the user out appropriately. Of course, that would be a great W3C group to start up... I'd join! Heck, I'd even chair it! :) Thanks again! Best, Auri Rahimzadeh Author Hacking the PSP www.hackingpsp.com ---------- Original Message ---------------------------------- From: "Matt Fisher" <mfisher () spidynamics com> Date: Tue, 9 May 2006 23:14:21 -0400
I've heard of that being done before. It makes sense. How silly an idea would it be for the browser itself to send one last "goodbye" with the sessionID to the last site visited when it's closed ? -----Original Message----- From: Auri Rahimzadeh [mailto:auri () auri net] Sent: Monday, May 08, 2006 9:06 AM To: Auri () auri net; 'Rod Divilbiss'; test.future () gmail com Cc: webappsec () securityfocus com Subject: RE: Is logoff feature necessary (sorry, this message was floating around in the rafters and never made it to the list -A) One solution I failed to mention was you can try to trap the window close event (via Javascript) and call your logout code. Many applications do this for the reasons I described earlier. Thanks again! Best, Auri Rahimzadeh Author Hacking the PSP www.hackingpsp.com ----------------------------------------------------------------------- - - Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9 h ----------------------------------------------------------------------- - -- ----------------------------------------------------------------------- -- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9 h ----------------------------------------------------------------------- ---
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h --------------------------------------------------------------------------
Current thread:
- RE: Is logoff feature necessary, (continued)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)
- RE: Is logoff feature necessary Currey, Mick A (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)
- Re: Is logoff feature necessary Michael Silk (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 10)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 11)
- Re: Is logoff feature necessary Michael Silk (May 11)
- Re: Is logoff feature necessary Adam Tuliper (May 12)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 12)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)