Yo!
Rick Zhong wrote:
hi,
The basic rule of thumb is that never rely on session control
mechanism at the client side such as using javascript because all the
client side implementations are subject to malicious users' control.
Normally server-side invalidation of session ID after a specific
period of idle time is a recommended practice. The exact length of
this idle time is really subject to the sensitivity and security
requirement of the application.
Rule of a thumb it may be, but it does not apply in this case. In most
cases a user with a valid session can always end the session (logout). A
client-side javascript to do that (logout) will only enhance the
security for the good users (their possibly abusable sessions won't be
left hanging) but will give nothing new to work with for the said
malicious users.
Possible issues involved may include multiple windows using one session
where closing one window will end the session in the other window as
well (if your application makes sense in multiple windows and is used in
a setup like that).
Siim Põder
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
