RE: Is logoff feature necessary

["Deepu Thomas Philip" <deepu.philip () paladion net>]

I would say it to be wrong!!!!

Some of the many issues would be as follows:

1. What if the user forgets to close the window? -> Then the session would
be kept alive
2. If there is no 'Logout' then the data is always visible when the browser
is kept alive. 
3. Suppose another instance of the same browser is created? Then the session
is kept alive till all the browsers are closed.

If logout button was not necessary then I would say that definitely mail
sites such as Hotmail, Yahoo, Gmail would not have it. They could also
follow with the process of browser closure. But that is not the case !!!!

All in all . A logout button has to be there . 

And the best recommendation for a high profile application would be auto
closure of the browser when logout is issued. 

Regards,
Deepu Thomas Philip
PALADION NETWORKS
--
Website : http://www.paladion.net
Magazine: http://palisade.paladion.net/
--
Disclaimer:
This e-mail message may contain confidential or proprietary information. Do
not use it if you are not the original intended recipient. As e-mail may be
altered electronically, Paladion Networks cannot guarantee the integrity of
this communication. Before opening any attachments please recheck them for
viruses and defects. 

-----Original Message-----
From: test.future () gmail com [mailto:test.future () gmail com] 
Sent: Tuesday, May 02, 2006 1:11 PM
To: webappsec () securityfocus com
Subject: Is logoff feature necessary

We have a web applicaiton which do not have logoff button. The developer
claims that it is unnecessary, since the session can be terminated by
closing the browser. Is it correct? Thanks.

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------