Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Remote Session Invalidation
Posted by: bubenrazuma
Date: April 17, 2007 10:30AM

I've recently got an idea:

It's about the situation when a user enters an application and then closes the browser without logging out.
Will the possibility to invalidate the session you run from the other computer be useful for the most application? It seems strange, that I've never seen such a thing.

-- B.R., bubenrazuma.blogspot.com

Options: ReplyQuote
Re: Remote Session Invalidation
Posted by: rezn
Date: April 17, 2007 12:23PM

If a user clicks 'remember me' they are probably asking for the cookies to 1) be persistent and 2) work next time they open up the same browser and go to that site. This is exactly what happens in your scenario.

A simpler solution than giving a user explicit session control is just to invalidate all of a user's sessions whenever they hit 'Log Out'.

Options: ReplyQuote
Re: Remote Session Invalidation
Posted by: bubenrazuma
Date: April 17, 2007 01:14PM

rezn, I mean situation when you're log in with the persistent cookies, then you close the browser and go. Later, you log in on the other computer and see, that you forgot to log out on the previous one. Then you're free to log out remotely.

Update: ah, you mean *all* cookies... well, that's the question of usability. Just an idea, would be nice to try :)

-- B.R., bubenrazuma.blogspot.com

Edited 1 time(s). Last edit at 04/17/2007 01:16PM by bubenrazuma.

Options: ReplyQuote

Sorry, only registered users may post in this forum.