|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Is logoff feature necessary
From: André Gil (andregil
di.fct.unl.pt)
Date: Tue May 02 2006 - 05:03:32 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Actually this depends on whether you control the access media to your application and even if you do it still poses some threat level.
Let's say the only access is from office computers. If your security plan states that you blindly trust all of your employees and if there's no external access (not employees) to the computers physically then there's no security problem. Now is it realistic to trust employees?
If your web application is accessible from public computers then log off should be a needed feature because people not always close their browsers in order to end a session. What if on a public computer the user forgets the browser opened?
If you have a log off feature and they don't use it then you can always say that the user executed the actions even if it was someone else. That way you will have a solution against that threat. Of course this depends on your politics. It might be wiser to implement some kind of log off button and on sign in a mechanism where you ask the user if she is using a public or personal computer. If on a public you show the log off button if on a personal you can maintain the session till browser closing. Of course this still poses some threats. Another subject you need to consider is if your application will be widely used do you want to spend memory with sessions not in use?
Well those was just my two cents.
André
-----Original Message-----
From: test.futuregmail.com
To: webappsecsecurityfocus.com
Sent: 02-05-06 08:41
Subject: Is logoff feature necessary
We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the session can be terminated by closing the browser. Is it correct? Thanks.
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]