And it would be quite an issue on the database side if the
session state was
database-driven.
Best,
-Auri
-----Original Message-----
From: Adam Tuliper [mailto:amt gecko-software.com]
Sent: Friday, May 12, 2006 5:50 PM
To: webappsecsecurityfocus.com
Subject: Re: Is logoff feature necessary
Possible, yes...doesn't seem very feasible though on a site
with large # of
logins, small # of secondary page hits. Traffic seems it
would become a
potential issue then, as well as current http connections to
the server, and
additional load on locking session information
collections.... and.. its
something that has to be built into every page and doesn't
exist at the
server level. Netbios broadcasts flood networks, as would a
similiar "im
still here im still here" messages. This would also
require additional
support on a client browser and assume they have permissions
to allow such
items.
----- Original Message -----
From: "Michael Silk" <michaelslistsgmail.com>
To: <auriauri.net>
Cc: "Rod Divilbiss" <rodrodsdot.com>; <webappsecsecurityfocus.com>
Sent: Thursday, May 11, 2006 9:15 PM
Subject: Re: Is logoff feature necessary
On 5/11/06, Auri Rahimzadeh <auriauri.net> wrote:
> I agree. There is nothing that can guarantee a logout
relying solely on
> the
> browser.
Yes there is.
You can have your system require an "heartbeat"
message every 10
seconds. This can come in the form of an fancy
xmlhttprequest, if you
like, built into every page.
That way the browser is always connected, and if that
message arrives
in 11 seconds instead of 10, bam, logged out. Of course
you'd combine
this with maximum time logged in, etc, etc, etc. Logout is
guaranteed
if the browser doesn't respond (i.e. crash). Logout isn't
guaranteed
if someone forges your "i'm still here"
message. But there are way
around that ...
-- Michael
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment
With the rapid rise in the number and types of security
threats, web
application security assessments should be considered a
crucial phase in
the development of any web application. What methodology
should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701300000007t9h
------------------------------------------------------------
--------------
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment
With the rapid rise in the number and types of security
threats, web
application security assessments should be considered a
crucial phase in
the development of any web application. What methodology
should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701300000007t9h
------------------------------------------------------------
--------------
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment
With the rapid rise in the number and types of security
threats, web
application security assessments should be considered a
crucial phase in
the development of any web application. What methodology
should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701300000007t9h
------------------------------------------------------------
--------------
|