Sure, you can terminate the session by closing the browser, and many people
do this, but what happens if you don't close the browser but just move on to
another web site? It would be pretty simple to use the back button or
perhaps something like a cross-site scripting attack to pick up a session
token.
Or what if you are using a tab-based browser and just close the tab rather
than closing the browser itself? Will the session still end?
The main reason I like providing a logoff button is to force a token to
invalidate for those times you want to be sure you are logged off--such as
when using a shared pc. There are things attackers can use, such as token
keep-alive techniques, combined with other techniques, that allow them to
take over an old session. Forcing a session to die helps protect you if
someone else somehow got your session token. And there are many, many ways
that others can obtain your session token.
Having said all that, even if the developer added a logoff button, I suspect
that few users would actually use it. And there are many techniques to help
secure sessions tokens even if someone doesn't explitely log off. For
example, session tokens should always have relative as well as absolute
timeouts to prevent someone from keeping a session alive indefintely.
Allowing a log off is not going to stop attacks that target session tokens.
But then again, is it really that hard to add a button?
Mark Burnett
-----Original Message-----
From: test.future@gmail.com [mailto:test.future@gmail.com]
Sent: Tuesday, May 02, 2006 1:41 AM
To: webappsec@securityfocus.com
Subject: Is logoff feature necessary
We have a web applicaiton which do not have logoff button.
The developer claims that it is unnecessary, since the
session can be terminated by closing the browser. Is it
correct? Thanks.
--------------------------------------------------------------
-----------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks Hackers
continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious
attacks. This whitepaper identifies the most common methods
of attacks that we have seen, and outlines a guideline for
developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70130
0000007t9r
--------------------------------------------------------------
------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
