Re: best practices

[Siim Põder <windo () p6drad-teel net>]

Yo!

Rick Zhong wrote:
> hi,
> The basic rule of thumb is that never rely on session control
> mechanism at the client side such as using javascript because all the
> client side implementations are subject to malicious users' control.
> Normally server-side invalidation of session ID after a specific
> period of idle time  is a recommended practice. The exact length of
> this idle time is really subject to the sensitivity and security
> requirement of the application.

Rule of a thumb it may be, but it does not apply in this case. In most
cases a user with a valid session can always end the session (logout). A
client-side javascript to do that (logout) will only enhance the
security for the good users (their possibly abusable sessions won't be
left hanging) but will give nothing new to work with for the said
malicious users.

Possible issues involved may include multiple windows using one session
where closing one window will end the session in the other window as
well (if your application makes sense in multiple windows and is used in
a setup like that).

Siim Põder


-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------