WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: "Auri Rahimzadeh" <auri () auri net>
Date: Fri, 12 May 2006 22:03:28 -0400
And it would be quite an issue on the database side if the session state was database-driven. Best, -Auri -----Original Message----- From: Adam Tuliper [mailto:amt () gecko-software com] Sent: Friday, May 12, 2006 5:50 PM To: webappsec () securityfocus com Subject: Re: Is logoff feature necessary Possible, yes...doesn't seem very feasible though on a site with large # of logins, small # of secondary page hits. Traffic seems it would become a potential issue then, as well as current http connections to the server, and additional load on locking session information collections.... and.. its something that has to be built into every page and doesn't exist at the server level. Netbios broadcasts flood networks, as would a similiar "im still here im still here" messages. This would also require additional support on a client browser and assume they have permissions to allow such items. ----- Original Message ----- From: "Michael Silk" <michaelslists () gmail com> To: <auri () auri net> Cc: "Rod Divilbiss" <rod () rodsdot com>; <webappsec () securityfocus com> Sent: Thursday, May 11, 2006 9:15 PM Subject: Re: Is logoff feature necessary On 5/11/06, Auri Rahimzadeh <auri () auri net> wrote:
I agree. There is nothing that can guarantee a logout relying solely on the browser.
Yes there is. You can have your system require an "heartbeat" message every 10 seconds. This can come in the form of an fancy xmlhttprequest, if you like, built into every page. That way the browser is always connected, and if that message arrives in 11 seconds instead of 10, bam, logged out. Of course you'd combine this with maximum time logged in, etc, etc, etc. Logout is guaranteed if the browser doesn't respond (i.e. crash). Logout isn't guaranteed if someone forges your "i'm still here" message. But there are way around that ... -- Michael ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h --------------------------------------------------------------------------
Current thread:
- RE: Is logoff feature necessary, (continued)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)
- Re: Is logoff feature necessary Michael Silk (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 10)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 11)
- Re: Is logoff feature necessary Michael Silk (May 11)
- Re: Is logoff feature necessary Adam Tuliper (May 12)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 12)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)