Re: Is logoff feature necessary

["Michael Silk" <michaelslists () gmail com>]

On 5/11/06, Auri Rahimzadeh <auri () auri net> wrote:
> I agree. There is nothing that can guarantee a logout relying solely on the
> browser.

Yes there is.

You can have your system require an "heartbeat" message every 10
seconds. This can come in the form of an fancy xmlhttprequest, if you
like, built into every page.

That way the browser is always connected, and if that message arrives
in 11 seconds instead of 10, bam, logged out. Of course you'd combine
this with maximum time logged in, etc, etc, etc. Logout is guaranteed
if the browser doesn't respond (i.e. crash). Logout isn't guaranteed
if someone forges your "i'm still here" message. But there are way
around that ...

-- Michael

-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------