WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: "Currey, Mick A" <mick.a.currey () citigroup com>
Date: Wed, 3 May 2006 07:45:46 -0500
Hi, In addition to the logoff button the developer needs to trap the close browser event so the session is killed for the customers that exit the system using this method. Otherwise, the session will stay around taking up memory until the default timeout. Yes, this is a best practice to code like this, but this practice is not always followed. -----Original Message----- From: Alexis FitzGerald [mailto:alexis () iol ie] Sent: Wednesday, May 03, 2006 6:19 AM To: test.future () gmail com; webappsec () securityfocus com Subject: Re: Is logoff feature necessary Hi, In general, if there is a logon button there should be a logoff button. This should tidy up the server session etc. Another concern is that if you have had problems persuading the developer to put in a logoff button, what other security vulnerabilities might be in the application-especially if it is processing sensitive information or transactions. Show the developer the OWASP Top Ten and ask if there are measures in place within the application to protect against these types of vulnerabilities. The OWASP Top Ten is at: http://www.owasp.org/documentation/topten.html regards Alexis email: alexis () iol ie web: www.ritsgroup.com ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Re: Is logoff feature necessary, (continued)
- Re: Is logoff feature necessary Robert Hajime Lanning (May 03)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)
- RE: Is logoff feature necessary Currey, Mick A (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)
- Re: Is logoff feature necessary Michael Silk (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 10)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 11)
- Re: Is logoff feature necessary Michael Silk (May 11)
- Re: Is logoff feature necessary Adam Tuliper (May 12)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)