|
WebApp Sec
mailing list archives
RE: Is logoff feature necessary
From: André Gil <andregil () di fct unl pt>
Date: Tue, 2 May 2006 11:03:32 +0100
Actually this depends on whether you control the access media to your application and even if you do it still poses
some threat level.
Let's say the only access is from office computers. If your security plan states that you blindly trust all of your
employees and if there's no external access (not employees) to the computers physically then there's no security
problem. Now is it realistic to trust employees?
If your web application is accessible from public computers then log off should be a needed feature because people not
always close their browsers in order to end a session. What if on a public computer the user forgets the browser opened?
If you have a log off feature and they don't use it then you can always say that the user executed the actions even if
it was someone else. That way you will have a solution against that threat. Of course this depends on your politics. It
might be wiser to implement some kind of log off button and on sign in a mechanism where you ask the user if she is
using a public or personal computer. If on a public you show the log off button if on a personal you can maintain the
session till browser closing. Of course this still poses some threats. Another subject you need to consider is if your
application will be widely used do you want to spend memory with sessions not in use?
Well those was just my two cents.
André
-----Original Message-----
From: test.future () gmail com
To: webappsec () securityfocus com
Sent: 02-05-06 08:41
Subject: Is logoff feature necessary
We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the
session can be terminated by closing the browser. Is it correct? Thanks.
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- RE: Is logoff feature necessary, (continued)
|
Intro
