WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is logoff feature necessary

From: Peter Conrad <conrad () tivano de>
Date: Tue, 2 May 2006 11:24:21 +0200
Hi,

Am Dienstag, 2. Mai 2006 09:41 schrieb test.future () gmail com:

We have a web applicaiton which do not have logoff button. The developer
claims that it is unnecessary, since the session can be terminated by
closing the browser. Is it correct? Thanks.


When the browser is closed, it usually loses its session token (e. g. 
a cookie), so the browser has no way to re-enter the session.

However, on the server side the session will persist until it times
out. So if someone steals the session token, he can continue using the
session even if the original user closes his browser.

So technically what your developer says is *not* correct.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: