[owasp-intrinsic-security] Logging Out

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue Nov 11 17:07:04 EST 2008

I agree, though W3C is probably the right place for this suggestion to go. It sounds very actionable as long as it's not a normal kind of event where the action can be cancelled with a "return false" - the window event should be guaranteed to close regardless of the function code in order to prevent ad pages from immunizing themselves.
Tangentially, I think we should start some kind of ticketing system where the suggestions we want to recommend within the ISWG can be tracked, who's got the ball on our end and their end, what's the status, etc. 


From: owasp-intrinsic-security-bounces at lists.owasp.org on behalf of Jim Manico
Sent: Tue 11/11/2008 4:44 PM
To: Bil Corry; owasp-intrinsic-security at lists.owasp.org
Subject: Re: [owasp-intrinsic-security] Logging Out


Trapping a "windows close" event (or unload or beforeunload) is not
completely reliable as you illustrated below - especially with the
advent of multi-tabbed (and even multi-window) browsing.

>From an intrinsic point of view, one easy suggestion would be to
encourage all JavaScript implementors to support a complete
BROWSER-CLOSE event: an event that fires only when the final instance of
a browser is closed. This will let the programmer easily trap when to
send an ajax logout event back to the server to force a real logout.


-----Original Message-----
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Bil Corry
Sent: Friday, November 07, 2008 4:42 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Logging Out

It's a best practice for users to log out of the web application when
they're done, however many users will not bother to log out and instead
rely on the session to eventually expire.

So rather than relying on the user, a better solution would be to allow
a website to detect when the user is taking an action that would
indicate the user is done with the site, such as closing the browser,
closing the window, navigating away from the site in the address bar, or
navigating back in history to a site prior to the current site.

I don't know the best way to achieve the above, but I do know developers
tend to look at window.onbeforeunload, but it doesn't tell you the event
that triggered it; so it isn't useful from the standpoint that
refreshing the page, hitting the back button, and following a link all
trigger onbeforeunload.

And related, Yngve Pettersen is working on a proposed spec for "Context
Cache" that would allow cached items to expire/discard immediately upon
logging out:


Yngve told me he's looking for feedback on the above draft spec, so if
you have the time and interest, he's receptive to receiving feedback.

- Bil

owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081111/7e83489f/attachment.html 

More information about the owasp-intrinsic-security mailing list