WebApp Sec mailing list archives
Re: best practices
From: "Rick Zhong" <sagiko () gmail com>
Date: Fri, 15 Sep 2006 16:31:10 +0800
hi, The basic rule of thumb is that never rely on session control mechanism at the client side such as using javascript because all the client side implementations are subject to malicious users' control. Normally server-side invalidation of session ID after a specific period of idle time is a recommended practice. The exact length of this idle time is really subject to the sensitivity and security requirement of the application. regards, Rick Zhong On 9/15/06, Matteo Nava <ilnava () gmail com> wrote:
Hi, Normally in web application, when a user end his session, not logging out, but simply closing the browser, the session token stay valid until the session timed out, and so it's potentially reusable. In my opinion it's recommendable that some kind of a mechanism is implemented for invalidate the session token when user close the browser, for example, with a client side javascript code using the onunload event to invalidate the session token. But I haven't found a best practices or any other discussion about this problem. Best Regards, Matteo Nava ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- best practices Matteo Nava (Sep 14)
- Re: best practices Rick Zhong (Sep 15)
- Re: best practices Siim Põder (Sep 19)
- Re: best practices Dave Ferguson (Sep 19)
- Re: best practices Rick Zhong (Sep 15)