WebApp Sec mailing list archives
Re: best practices
From: Siim Põder <windo () p6drad-teel net>
Date: Mon, 18 Sep 2006 18:34:00 +0300
Yo! Rick Zhong wrote:
hi, The basic rule of thumb is that never rely on session control mechanism at the client side such as using javascript because all the client side implementations are subject to malicious users' control. Normally server-side invalidation of session ID after a specific period of idle time is a recommended practice. The exact length of this idle time is really subject to the sensitivity and security requirement of the application.
Rule of a thumb it may be, but it does not apply in this case. In most cases a user with a valid session can always end the session (logout). A client-side javascript to do that (logout) will only enhance the security for the good users (their possibly abusable sessions won't be left hanging) but will give nothing new to work with for the said malicious users. Possible issues involved may include multiple windows using one session where closing one window will end the session in the other window as well (if your application makes sense in multiple windows and is used in a setup like that). Siim Põder ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- best practices Matteo Nava (Sep 14)
- Re: best practices Rick Zhong (Sep 15)
- Re: best practices Siim Põder (Sep 19)
- Re: best practices Dave Ferguson (Sep 19)
- Re: best practices Rick Zhong (Sep 15)