I am a little confused about the comments regarding a
"standard" regarding
logging off. Web application developers can only dream
about standards in
any event. What we have are recommendations not standards.
A quick
examination will reveal that the developers of web browsers
make decisions
to support, ignore, or even add proprietary extensions to
the W3C
recommendations.
Any semi-literate programmer can make a browser which
ignores any and all
recommendations from the W3C. Therefore, relying on the
browser to implement
any recommendation (or "standard") would be a
poor application programming
choice.
Creating a method to grant or deny a browser client access
to portions of a
web based application based on if the client is
authenticated and authorized
(logged on) or has requested termination (logged off) must
be accomplished
by the application, not the browser.
In that HTTP is a connectionless protocol, any method used
will be dependent
in a large part on how the application maintains session
state. Any state
management method which relies on the browser doing
something (accepting a
cookie) or not doing something (not caching a page) will not
be 100%
reliable in that the application has no control over the
client.
If the state mechanism requires a token to be saved on the
client side, you
can not assume any instruction directed at the browser will
be obeyed by the
browser. E.g. the browser can ignore instructions not to
cache a page and
can ignore instructions to delete a session cookie.
All you can do is attempt to identify the client browser
using a client side
token. Only the web application itself can decide if the
state of the client
identified by the client side token is currently logged on
or logged off.
As long as you do not use client side methods to determine
the state of
"logged on" or "logged off" the log
off functionality is trivial. No
standard browser behavior can be trusted in this regard.
Regards,
Rod
-----Original Message-----
From: Auri Rahimzadeh [mailto:Auri auri.net]
Sent: Wednesday, May 10, 2006 12:16 PM
To: auriauri.net; Rod Divilbiss; test.futuregmail.com; Matt Fisher
Cc: webappsecsecurityfocus.com
Subject: RE: Is logoff feature necessary
Since there is no standardized logoff/logout mechanism
defined (someone
please tell me if I'm wrong!), it would be insanely
difficult to assume the
browser could log the user out appropriately.
Of course, that would be a great W3C group to start up...
I'd join! Heck,
I'd even chair it! 
Thanks again!
Best,
Auri Rahimzadeh
Author
Hacking the PSP
www.hackingpsp.com
---------- Original Message
----------------------------------
From: "Matt Fisher" <mfisherspidynamics.com>
Date: Tue, 9 May 2006 23:14:21 -0400
>I've heard of that being done before. It makes sense.
>
>How silly an idea would it be for the browser itself to
send one last
>"goodbye" with the sessionID to the last
site visited when it's closed ?
>
>
>
>-----Original Message-----
>From: Auri Rahimzadeh [mailto:auriauri.net]
>Sent: Monday, May 08, 2006 9:06 AM
>To: Auriauri.net; 'Rod Divilbiss'; test.futuregmail.com
>Cc: webappsecsecurityfocus.com
>Subject: RE: Is logoff feature necessary
>
>(sorry, this message was floating around in the rafters
and never made
>it to the list -A)
>
>One solution I failed to mention was you can try to trap
the window
>close event (via Javascript) and call your logout code.
Many
>applications do this for the reasons I described
earlier.
>
>Thanks again!
>
>Best,
>
>Auri Rahimzadeh
>Author
>Hacking the PSP
>www.hackingpsp.com
>
>
>
>
>--------------------------------------------------------
---------------
>-
>-
>Sponsored by: Watchfire
>
>Methodologies & Tools for Web Application Security
Assessment With the
>rapid rise in the number and types of security threats,
web application
>security assessments should be considered a crucial
phase in
>
>the development of any web application. What methodology
should be
>followed? What tools can accelerate the assessment
process?
>Download this whitepaper today!
>
>https://www.watchfire.com/securearea/whit
epapers.aspx?id=701300000007t9
>h
>--------------------------------------------------------
---------------
>-
>--
>
>
>--------------------------------------------------------
---------------
>--
>Sponsored by: Watchfire
>
>Methodologies & Tools for Web Application Security
Assessment With the
>rapid rise in the number and types of security threats,
web application
>security assessments should be considered a crucial
phase in the
>development of any web application. What methodology
should be
>followed? What tools can accelerate the assessment
process?
>Download this whitepaper today!
>
>https://www.watchfire.com/securearea/whit
epapers.aspx?id=701300000007t9
>h
>--------------------------------------------------------
---------------
>---
>
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment With the rapid
rise in the number and types of security threats, web
application security
assessments should be considered a crucial phase in the
development of any
web application. What methodology should be followed? What
tools can
accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701300000007t9h
------------------------------------------------------------
--------------
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment
With the rapid rise in the number and types of security
threats, web
application security assessments should be considered a
crucial phase in
the development of any web application. What methodology
should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701300000007t9h
------------------------------------------------------------
--------------
|