[owasp-intrinsic-security] Logging Out

Bil Corry bil at corry.biz
Fri Nov 7 16:42:06 EST 2008


It's a best practice for users to log out of the web application when they're done, however many users will not bother to log out and instead rely on the session to eventually expire.

So rather than relying on the user, a better solution would be to allow a website to detect when the user is taking an action that would indicate the user is done with the site, such as closing the browser, closing the window, navigating away from the site in the address bar, or navigating back in history to a site prior to the current site.

I don't know the best way to achieve the above, but I do know developers tend to look at window.onbeforeunload, but it doesn't tell you the event that triggered it; so it isn't useful from the standpoint that refreshing the page, hitting the back button, and following a link all trigger onbeforeunload.

And related, Yngve Pettersen is working on a proposed spec for "Context Cache" that would allow cached items to expire/discard immediately upon logging out:

	http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the
	http://www.ietf.org/internet-drafts/draft-pettersen-cache-context-03.txt

Yngve told me he's looking for feedback on the above draft spec, so if you have the time and interest, he's receptive to receiving feedback.


- Bil



More information about the owasp-intrinsic-security mailing list