Network Security: Detailed info on Re: Is logoff feature necessary

Subject:	Re: Is logoff feature necessary
Date:	Fri, 12 May 2006 17:50:28 -0400

Possible, yes...doesn't seem very feasible though on a site with large # of logins, small # of secondary page hits. Traffic seems it would become a potential issue then, as well as current http connections to the server, and additional load on locking session information collections.... and.. its something that has to be built into every page and doesn't exist at the server level. Netbios broadcasts flood networks, as would a similiar "im still here im still here" messages. This would also require additional support on a client browser and assume they have permissions to allow such items.

----- Original Message ----- From: "Michael Silk" <michaelslists@gmail.com> To: <auri@auri.net> Cc: "Rod Divilbiss" <rod@rodsdot.com>; <webappsec@securityfocus.com> Sent: Thursday, May 11, 2006 9:15 PM Subject: Re: Is logoff feature necessary

On 5/11/06, Auri Rahimzadeh <auri@auri.net> wrote:

I agree. There is nothing that can guarantee a logout relying solely on the browser.


Yes there is.

You can have your system require an "heartbeat" message every 10
seconds. This can come in the form of an fancy xmlhttprequest, if you
like, built into every page.

That way the browser is always connected, and if that message arrives
in 11 seconds instead of 10, bam, logged out. Of course you'd combine
this with maximum time logged in, etc, etc, etc. Logout is guaranteed
if the browser doesn't respond (i.e. crash). Logout isn't guaranteed
if someone forges your "i'm still here" message. But there are way
around that ...

-- Michael

-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Is logoff feature necessary, (continued) RE: Is logoff feature necessary, Currey, Mick A RE: Is logoff feature necessary, Auri Rahimzadeh Is logoff feature necessary, intel96 RE: Is logoff feature necessary, Auri Rahimzadeh RE: Is logoff feature necessary, Matt Fisher Re: Is logoff feature necessary, Michael Silk RE: Is logoff feature necessary, Auri Rahimzadeh RE: Is logoff feature necessary, Rod Divilbiss RE: Is logoff feature necessary, Auri Rahimzadeh Re: Is logoff feature necessary, Michael Silk Re: Is logoff feature necessary, Adam Tuliper <= RE: Is logoff feature necessary, Auri Rahimzadeh RE: Is logoff feature necessary, Matt Fisher

Previous by Date:	Re; Comparison report on web app security scanners, jack.jonburg
Next by Date:	RE: Is logoff feature necessary, Auri Rahimzadeh
Previous by Thread:	Re: Is logoff feature necessary, Michael Silk
Next by Thread:	RE: Is logoff feature necessary, Auri Rahimzadeh
Indexes:	[Date] [Thread] [Top] [All Lists]