Actually this depends on whether you control the access media to your
application and even if you do it still poses some threat level.
Let's say the only access is from office computers. If your security plan
states that you blindly trust all of your employees and if there's no external
access (not employees) to the computers physically then there's no security
problem. Now is it realistic to trust employees?
If your web application is accessible from public computers then log off should
be a needed feature because people not always close their browsers in order to
end a session. What if on a public computer the user forgets the browser opened?
If you have a log off feature and they don't use it then you can always say
that the user executed the actions even if it was someone else. That way you
will have a solution against that threat. Of course this depends on your
politics. It might be wiser to implement some kind of log off button and on
sign in a mechanism where you ask the user if she is using a public or personal
computer. If on a public you show the log off button if on a personal you can
maintain the session till browser closing. Of course this still poses some
threats. Another subject you need to consider is if your application will be
widely used do you want to spend memory with sessions not in use?
Well those was just my two cents.
André
-----Original Message-----
From: test.future@gmail.com
To: webappsec@securityfocus.com
Sent: 02-05-06 08:41
Subject: Is logoff feature necessary
We have a web applicaiton which do not have logoff button. The developer claims
that it is unnecessary, since the session can be terminated by closing the
browser. Is it correct? Thanks.
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
