WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Is logoff feature necessary

From: "M. Burnett" <mb () xato net>
Date: Tue, 2 May 2006 09:42:08 -0600
Sure, you can terminate the session by closing the browser, and many people
do this, but what happens if you don't close the browser but just move on to
another web site? It would be pretty simple to use the back button or
perhaps something like a cross-site scripting attack to pick up a session
token.

Or what if you are using a tab-based browser and just close the tab rather
than closing the browser itself? Will the session still end?

The main reason I like providing a logoff button is to force a token to
invalidate for those times you want to be sure you are logged off--such as
when using a shared pc. There are things attackers can use, such as token
keep-alive techniques, combined with other techniques, that allow them to
take over an old session. Forcing a session to die helps protect you if
someone else somehow got your session token. And there are many, many ways
that others can obtain your session token.

Having said all that, even if the developer added a logoff button, I suspect
that few users would actually use it. And there are many techniques to help
secure sessions tokens even if someone doesn't explitely log off. For
example, session tokens should always have relative as well as absolute
timeouts to prevent someone from keeping a session alive indefintely. 

Allowing a log off is not going to stop attacks that target session tokens.
But then again, is it really that hard to add a button?

Mark Burnett






-----Original Message-----
From: test.future () gmail com [mailto:test.future () gmail com] 
Sent: Tuesday, May 02, 2006 1:41 AM
To: webappsec () securityfocus com
Subject: Is logoff feature necessary

We have a web applicaiton which do not have logoff button. 
The developer claims that it is unnecessary, since the 
session can be terminated by closing the browser. Is it 
correct? Thanks.

--------------------------------------------------------------
-----------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks Hackers 
continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious 
attacks. This whitepaper identifies the most common methods 
of attacks that we have seen, and outlines a guideline for 
developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70130

0000007t9r

--------------------------------------------------------------
------------




-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: