Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Is logoff feature necessary

from [Auri Rahimzadeh] Network Security [Permanent Link]
Subject: RE: Is logoff feature necessary
Date: Wed, 3 May 2006 09:22:57 -0500 
Keep in mind that from what I've seen simply closing ONE browser window when 
more than one is open doesn't automatically clear/invalidate the session. Both 
IE and Firefox generally keep those cookies around until ALL windows have been 
closed. This happens a lot in an application I'm working on now - users 
complain the wrong data is coming up, and they think closing that one window 
will fix things. Nope - they have to close all of them. It usually turns into a 
"well, I rebooted and it worked", when all that did was close all their 
windows. This would be an interesting issue should some adware/malware keep a 
window open off-screen, or where the user didn't see it. I'd be interested to 
know if there's a trick to force the cookie to be removed when you close a 
single window when multiple windows are open, other than using Javascript to do 
it.

Thanks again!

Best,

Auri Rahimzadeh
Author
Hacking the PSP
www.hackingpsp.com

---------- Original Message ----------------------------------
From: Keith Duffin <kduffin@duffin.org>
Date:  Wed, 3 May 2006 08:45:46 -0400 (EDT)


What about instances where an identity framework is used, such as CA's
Siteminder or IBM's Identity Mangament Suite?  Closing the browser will
result in the session begin invalidated - I'm not sure if that cascades to
releasing other resources or not.

On Wed, 3 May 2006, Auri Rahimzadeh wrote:


In addition, having the session state continues to reserves those resources
on the server. So, if there were open recordsets in memory (bad developer!),

(truncated)


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [WEB SECURITY] cookies a fundamental threat?, Martin O'Neal
Next by Date:  Re: yahoo mail login security, Sels, Roger
Previous by Thread:  RE: Is logoff feature necessary, Currey, Mick A
Next by Thread:  Is logoff feature necessary, intel96
Indexes:  [Date] [Thread] [Top] [All Lists]