WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Is logoff feature necessary

From: André Gil <andregil () di fct unl pt>
Date: Tue, 2 May 2006 11:03:32 +0100
Actually this depends on whether you control the access media to your application and even if you do it still poses 
some threat level.
Let's say the only access is from office computers. If your security plan states that you blindly trust all of your 
employees and if there's no external access (not employees) to the computers physically then there's no security 
problem. Now is it realistic to trust employees?
If your web application is accessible from public computers then log off should be a needed feature because people not 
always close their browsers in order to end a session. What if on a public computer the user forgets the browser opened?
If you have a log off feature and they don't use it then you can always say that the user executed the actions even if 
it was someone else. That way you will have a solution against that threat. Of course this depends on your politics. It 
might be wiser to implement some kind of log off button and on sign in a mechanism where you ask the user if she is 
using a public or personal computer. If on a public you show the log off button if on a personal you can maintain the 
session till browser closing. Of course this still poses some threats. Another subject you need to consider is if your 
application will be widely used do you want to spend memory with sessions not in use?

Well those was just my two cents.

André

-----Original Message-----
From: test.future () gmail com
To: webappsec () securityfocus com
Sent: 02-05-06 08:41
Subject: Is logoff feature necessary

We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the 
session can be terminated by closing the browser. Is it correct? Thanks.

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: