WebApp Sec: RE: Is logoff feature necessary

["wa0qmj" <bugtraq () jvedman com>]

My apologies, Firefox will not maintain a session as long as ALL open
instances of the browser are closed.  However, if you have multiple
instances of the browser open, even those which were opened prior to
establishing a session can recycle that session, so I stand by my assertion
that having a logoff function is very important.

Peace,
Wa0qmj

-----Original Message-----
From: wa0qmj [mailto:bugtraq () jvedman com] 
Sent: Tuesday, May 02, 2006 9:08 AM
To: 'webappsec () securityfocus com'
Subject: RE: Is logoff feature necessary

In my experience Foxfire will recycle a session, even after shutting down
and re-opening the browser, so I would argue that a logoff function is
critical.  I really dislike secure systems that don't have them as I feel
that I should be allowed the preference of deciding when I want to end my
session, and should have the security of knowing that my session has been
ended.

Peace,
wa0qmj

-----Original Message-----
From: test.future () gmail com [mailto:test.future () gmail com] 
Sent: Tuesday, May 02, 2006 3:41 AM
To: webappsec () securityfocus com
Subject: Is logoff feature necessary

We have a web applicaiton which do not have logoff button. The developer
claims that it is unnecessary, since the session can be terminated by
closing the browser. Is it correct? Thanks.



-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------