[owasp-intrinsic-security] Logging Out

Jim Manico jim.manico at aspectsecurity.com
Tue Nov 11 16:44:27 EST 2008


Bill,

Trapping a "windows close" event (or unload or beforeunload) is not
completely reliable as you illustrated below - especially with the
advent of multi-tabbed (and even multi-window) browsing.

>From an intrinsic point of view, one easy suggestion would be to
encourage all JavaScript implementors to support a complete
BROWSER-CLOSE event: an event that fires only when the final instance of
a browser is closed. This will let the programmer easily trap when to
send an ajax logout event back to the server to force a real logout.

-Jim

-----Original Message-----
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Bil Corry
Sent: Friday, November 07, 2008 4:42 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Logging Out

It's a best practice for users to log out of the web application when
they're done, however many users will not bother to log out and instead
rely on the session to eventually expire.

So rather than relying on the user, a better solution would be to allow
a website to detect when the user is taking an action that would
indicate the user is done with the site, such as closing the browser,
closing the window, navigating away from the site in the address bar, or
navigating back in history to a site prior to the current site.

I don't know the best way to achieve the above, but I do know developers
tend to look at window.onbeforeunload, but it doesn't tell you the event
that triggered it; so it isn't useful from the standpoint that
refreshing the page, hitting the back button, and following a link all
trigger onbeforeunload.

And related, Yngve Pettersen is working on a proposed spec for "Context
Cache" that would allow cached items to expire/discard immediately upon
logging out:

	
http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-
why-the
	
http://www.ietf.org/internet-drafts/draft-pettersen-cache-context-03.txt

Yngve told me he's looking for feedback on the above draft spec, so if
you have the time and interest, he's receptive to receiving feedback.


- Bil

_______________________________________________
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security


More information about the owasp-intrinsic-security mailing list