WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: "Auri Rahimzadeh" <Auri () auri net>
Date: Wed, 3 May 2006 09:22:57 -0500
Keep in mind that from what I've seen simply closing ONE browser window when more than one is open doesn't automatically clear/invalidate the session. Both IE and Firefox generally keep those cookies around until ALL windows have been closed. This happens a lot in an application I'm working on now - users complain the wrong data is coming up, and they think closing that one window will fix things. Nope - they have to close all of them. It usually turns into a "well, I rebooted and it worked", when all that did was close all their windows. This would be an interesting issue should some adware/malware keep a window open off-screen, or where the user didn't see it. I'd be interested to know if there's a trick to force the cookie to be removed when you close a single window when multiple windows are open, other than using Javascript to do it. Thanks again! Best, Auri Rahimzadeh Author Hacking the PSP www.hackingpsp.com ---------- Original Message ---------------------------------- From: Keith Duffin <kduffin () duffin org> Date: Wed, 3 May 2006 08:45:46 -0400 (EDT)
What about instances where an identity framework is used, such as CA's Siteminder or IBM's Identity Mangament Suite? Closing the browser will result in the session begin invalidated - I'm not sure if that cascades to releasing other resources or not. On Wed, 3 May 2006, Auri Rahimzadeh wrote:In addition, having the session state continues to reserves those resources on the server. So, if there were open recordsets in memory (bad developer!),
(truncated) ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Re: Is logoff feature necessary, (continued)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)
- RE: Is logoff feature necessary Currey, Mick A (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Is logoff feature necessary intel96 (May 04)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 08)
- RE: Is logoff feature necessary Matt Fisher (May 10)
- Re: Is logoff feature necessary Michael Silk (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 10)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 11)
- Re: Is logoff feature necessary Michael Silk (May 11)
- Re: Is logoff feature necessary Adam Tuliper (May 12)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 12)
- RE: Is logoff feature necessary Rod Divilbiss (May 11)