Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Session Management - Forcing Users to Log Off
Posted by: kala
Date: January 15, 2008 04:42AM

I want to implement a function to help users who forgot to log off to send a logoff request before accessing third-party sites. This obviously wont be foolproof as its run on the client side, but is there a recommended secure way to implement this functionality? What limitations are there (besides for having javascript disabled)?

Options: ReplyQuote
Re: Session Management - Forcing Users to Log Off
Posted by: Anonymous User
Date: January 15, 2008 08:51AM

<a href="/foo/bar" onclick="javascript: checkIfThirdPartySiteIsLinkedAndLogOutElseRedirectToTheRequestedURL(this); return false;">foobar</a>

Of course there's nice ways to bind the event but that the principle how it could work.

Options: ReplyQuote
Re: Session Management - Forcing Users to Log Off
Posted by: Anonymous User
Date: January 18, 2008 10:05AM

window.onblur = function() {

   this.focus; alert('stay with us! cuz all your focus belongs 2 us!');
}

Options: ReplyQuote
Re: Session Management - Forcing Users to Log Off
Posted by: Anonymous User
Date: January 21, 2008 05:18AM

Right - window.onblur or document.body.onblur works too but it's hard if not impossible to check if the user is heading off-site.



Edited 1 time(s). Last edit at 01/21/2008 05:18AM by .mario.

Options: ReplyQuote
Re: Session Management - Forcing Users to Log Off
Date: February 10, 2008 09:14PM

Isn't there an onClose event?

Anyway, the easiest way to do this is to:

1. Set a really short expiry time for sessions

2. Implement the perfect defense for CSRF: attach one-time tokens to all internal links

Of course, say bye-bye to usability if you decide to do these ;-)

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Session Management - Forcing Users to Log Off
Posted by: riahmatic
Date: February 11, 2008 03:08AM

window.onunload will fire if the page reloads or the window closes.

could do something like:

for all in-site links/forms, onsubmit/onclick="window.localLoad=true"

then this would catch everything else (close, remote link, crash?),
window.onunload = function(){if(!localLoad)/*logout logic here*/;}

Options: ReplyQuote
Re: Session Management - Forcing Users to Log Off
Posted by: trev
Date: February 16, 2008 05:03AM

There is onbeforeunload which is meant exactly for this kind of things. Otherwise it is what riahmatic says - you have to make sure your handler doesn't fire for clicks on local links (though for that I would add a one click handler on the document since all events bubble).

Options: ReplyQuote


Sorry, only registered users may post in this forum.