WebApp Sec mailing list archives

RE: Is logoff feature necessary

From: "Rod Divilbiss" <rod () rodsdot com>
Date: Tue, 2 May 2006 07:40:03 -0500

Closing the browser will cause the session to end. It will however takes
some amount of time (usually 20 minutes) for the session to be terminated by
the server. It may be possible for the user to reopen their browser before
the session times out and reestablish the session. (Depends on how session
state is maintained and how the web application is written.)

Having a logoff button which explicitly kills the session is not a bad
thing.

-----Original Message-----
From: test.future () gmail com [mailto:test.future () gmail com] 
Sent: Tuesday, May 02, 2006 2:41 AM
To: webappsec () securityfocus com
Subject: Is logoff feature necessary

We have a web applicaiton which do not have logoff button. The developer
claims that it is unnecessary, since the session can be terminated by
closing the browser. Is it correct? Thanks.

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks Hackers continue to
add billions to the cost of doing business online despite security
executives' efforts to prevent malicious attacks. This whitepaper identifies
the most common methods of attacks that we have seen, and outlines a
guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------

Current thread:

Is logoff feature necessary test . future (May 02)
- Re: Is logoff feature necessary Vicente Aguilera (May 03)
- Re: Is logoff feature necessary Daniel Persson (May 03)
- Re: Is logoff feature necessary Peter Conrad (May 03)
- Re: Is logoff feature necessary Luciano Miguel Ferreira Rocha (May 03)
- Re: Is logoff feature necessary ViersOnline (May 03)
- RE: Is logoff feature necessary Deepu Thomas Philip (May 03)
- Re: Is logoff feature necessary Michael Silk (May 03)
- Re: Is logoff feature necessary Dave Ferguson (May 03)
- RE: Is logoff feature necessary Rod Divilbiss (May 03)
  - RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
    - Administrivia: Is logoff feature necessary Andrew van der Stock (May 03)
    - RE: Is logoff feature necessary Keith Duffin (May 03)
    - Re: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary M. Burnett (May 03)
- Re: Is logoff feature necessary Robert Hajime Lanning (May 03)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- <Possible follow-ups>
- RE: Is logoff feature necessary wa0qmj (May 03)

(Thread continues...)