Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Is logoff feature necessary

from [Currey, Mick A] Network Security [Permanent Link]
Subject: RE: Is logoff feature necessary
Date: Wed, 3 May 2006 07:45:46 -0500 
Hi, 

In addition to the logoff button the developer needs to trap the close browser 
event so the session is killed for the customers that exit the system using 
this method.  Otherwise, the session will stay around taking up memory until 
the default timeout.  Yes, this is a best practice to code like this, but this 
practice is not always followed.  

  




-----Original Message-----
From: Alexis FitzGerald [mailto:alexis@iol.ie]
Sent: Wednesday, May 03, 2006 6:19 AM
To: test.future@gmail.com; webappsec@securityfocus.com
Subject: Re: Is logoff feature necessary


Hi,

In general, if there is a logon button there should be a logoff button. This
should tidy up the server session etc.

Another concern is that if you have had problems persuading the developer to
put in a logoff button, what other security vulnerabilities might be in the
application-especially if it is processing sensitive information or
transactions. Show the developer the OWASP Top Ten and ask if there are
measures in place within the application to protect against these types of
vulnerabilities.

The OWASP Top Ten is at:  http://www.owasp.org/documentation/topten.html

regards

Alexis

email: alexis@iol.ie
web: www.ritsgroup.com



-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [WEB SECURITY] cookies a fundamental threat?, Achim Hoffmann
Next by Date:  Administrivia: Is logoff feature necessary, Andrew van der Stock
Previous by Thread:  RE: Is logoff feature necessary, Sarbjit Singh Gill
Next by Thread:  RE: Is logoff feature necessary, Auri Rahimzadeh
Indexes:  [Date] [Thread] [Top] [All Lists]