WebApp Sec mailing list archives
best practices
From: "Matteo Nava" <ilnava () gmail com>
Date: Thu, 14 Sep 2006 23:31:21 -0300
Hi, Normally in web application, when a user end his session, not logging out, but simply closing the browser, the session token stay valid until the session timed out, and so it's potentially reusable. In my opinion it's recommendable that some kind of a mechanism is implemented for invalidate the session token when user close the browser, for example, with a client side javascript code using the onunload event to invalidate the session token. But I haven't found a best practices or any other discussion about this problem. Best Regards, Matteo Nava ------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- best practices Matteo Nava (Sep 14)
- Re: best practices Rick Zhong (Sep 15)
- Re: best practices Siim Põder (Sep 19)
- Re: best practices Dave Ferguson (Sep 19)
- Re: best practices Rick Zhong (Sep 15)