RE: Is logoff feature necessary

["Rod Divilbiss" <rod () rodsdot com>]

I am a little confused about the comments regarding a "standard" regarding
logging off.  Web application developers can only dream about standards in
any event.  What we have are recommendations not standards. A quick
examination will reveal that the developers of web browsers make decisions
to support, ignore, or even add proprietary extensions to the W3C
recommendations.

Any semi-literate programmer can make a browser which ignores any and all
recommendations from the W3C. Therefore, relying on the browser to implement
any recommendation (or "standard") would be a poor application programming
choice.

Creating a method to grant or deny a browser client access to portions of a
web based application based on if the client is authenticated and authorized
(logged on) or has requested termination (logged off) must be accomplished
by the application, not the browser.

In that HTTP is a connectionless protocol, any method used will be dependent
in a large part on how the application maintains session state. Any state
management method which relies on the browser doing something (accepting a
cookie) or not doing something (not caching a page) will not be 100%
reliable in that the application has no control over the client.

If the state mechanism requires a token to be saved on the client side, you
can not assume any instruction directed at the browser will be obeyed by the
browser. E.g. the browser can ignore instructions not to cache a page and
can ignore instructions to delete a session cookie.

All you can do is attempt to identify the client browser using a client side
token. Only the web application itself can decide if the state of the client
identified by the client side token is currently logged on or logged off.

As long as you do not use client side methods to determine the state of
"logged on" or "logged off" the log off functionality is trivial. No
standard browser behavior can be trusted in this regard.

Regards,
Rod



-----Original Message-----
From: Auri Rahimzadeh [mailto:Auri () auri net] 
Sent: Wednesday, May 10, 2006 12:16 PM
To: auri () auri net; Rod Divilbiss; test.future () gmail com; Matt Fisher
Cc: webappsec () securityfocus com
Subject: RE: Is logoff feature necessary

Since there is no standardized logoff/logout mechanism defined (someone
please tell me if I'm wrong!), it would be insanely difficult to assume the
browser could log the user out appropriately.

Of course, that would be a great W3C group to start up... I'd join! Heck,
I'd even chair it! :)

Thanks again!

Best,

Auri Rahimzadeh
Author
Hacking the PSP
www.hackingpsp.com


---------- Original Message ----------------------------------
From: "Matt Fisher" <mfisher () spidynamics com>
Date:  Tue, 9 May 2006 23:14:21 -0400

> I've heard of that being done before.  It makes sense.  
>
> How silly an idea would it be for the browser itself to send one last 
> "goodbye" with the sessionID to the last site visited when it's closed ?
>
>
>
> -----Original Message-----
> From: Auri Rahimzadeh [mailto:auri () auri net]
> Sent: Monday, May 08, 2006 9:06 AM
> To: Auri () auri net; 'Rod Divilbiss'; test.future () gmail com
> Cc: webappsec () securityfocus com
> Subject: RE: Is logoff feature necessary
>
> (sorry, this message was floating around in the rafters and never made 
> it to the list -A)
>
> One solution I failed to mention was you can try to trap the window 
> close event (via Javascript) and call your logout code. Many 
> applications do this for the reasons I described earlier.
>
> Thanks again!
>
> Best,
>
> Auri Rahimzadeh
> Author
> Hacking the PSP
> www.hackingpsp.com
>
>
>
>
> -----------------------------------------------------------------------
> -
> -
> Sponsored by: Watchfire
>
> Methodologies & Tools for Web Application Security Assessment With the 
> rapid rise in the number and types of security threats, web application 
> security assessments should be considered a crucial phase in
>
> the development of any web application. What methodology should be 
> followed? What tools can accelerate the assessment process?
> Download this whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9
> h
> -----------------------------------------------------------------------
> -
> --
>
>
> -----------------------------------------------------------------------
> --
> Sponsored by: Watchfire
>
> Methodologies & Tools for Web Application Security Assessment With the 
> rapid rise in the number and types of security threats, web application 
> security assessments should be considered a crucial phase in the 
> development of any web application. What methodology should be 
> followed? What tools can accelerate the assessment process?
> Download this whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9
> h
> -----------------------------------------------------------------------
> ---


-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment With the rapid
rise in the number and types of security threats, web application security
assessments should be considered a crucial phase in the development of any
web application. What methodology should be followed? What tools can
accelerate the assessment process? 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in 
the development of any web application. What methodology should be 
followed? What tools can accelerate the assessment process? 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------