WebApp Sec mailing list archives
RE: Is logoff feature necessary
From: "M. Burnett" <mb () xato net>
Date: Tue, 2 May 2006 09:42:08 -0600
Sure, you can terminate the session by closing the browser, and many people do this, but what happens if you don't close the browser but just move on to another web site? It would be pretty simple to use the back button or perhaps something like a cross-site scripting attack to pick up a session token. Or what if you are using a tab-based browser and just close the tab rather than closing the browser itself? Will the session still end? The main reason I like providing a logoff button is to force a token to invalidate for those times you want to be sure you are logged off--such as when using a shared pc. There are things attackers can use, such as token keep-alive techniques, combined with other techniques, that allow them to take over an old session. Forcing a session to die helps protect you if someone else somehow got your session token. And there are many, many ways that others can obtain your session token. Having said all that, even if the developer added a logoff button, I suspect that few users would actually use it. And there are many techniques to help secure sessions tokens even if someone doesn't explitely log off. For example, session tokens should always have relative as well as absolute timeouts to prevent someone from keeping a session alive indefintely. Allowing a log off is not going to stop attacks that target session tokens. But then again, is it really that hard to add a button? Mark Burnett
-----Original Message----- From: test.future () gmail com [mailto:test.future () gmail com] Sent: Tuesday, May 02, 2006 1:41 AM To: webappsec () securityfocus com Subject: Is logoff feature necessary We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the session can be terminated by closing the browser. Is it correct? Thanks. -------------------------------------------------------------- ----------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70130
0000007t9r
-------------------------------------------------------------- ------------
------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Re: Is logoff feature necessary, (continued)
- Re: Is logoff feature necessary ViersOnline (May 03)
- RE: Is logoff feature necessary Deepu Thomas Philip (May 03)
- Re: Is logoff feature necessary Michael Silk (May 03)
- Re: Is logoff feature necessary Dave Ferguson (May 03)
- RE: Is logoff feature necessary Rod Divilbiss (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Administrivia: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Keith Duffin (May 03)
- Re: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary M. Burnett (May 03)
- Re: Is logoff feature necessary Robert Hajime Lanning (May 03)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)
- RE: Is logoff feature necessary Popowycz, Alex (May 03)
- RE: Is logoff feature necessary Sarbjit Singh Gill (May 03)