[Owasp-testing] Session timeout failure - What ref. number?
matteo.meucci at gmail.com
Tue Feb 23 07:26:57 EST 2010
you are right. We described the session expiration in OWASP-SM-001 and
The first one says to check if the session expires in a reasonable
time submitting the same cookie in different time frames; the second
says to check inside the cookie attributes when the application
response with a Set-cookie directive if there is a setting for date of
In your case, maybe you are describing another issue: TESTING FOR
LOGOUT AND BROWSER CACHE MANAGEMENT (OWASP-AT-007).
It seems that the application or maybe a client script redirect you
automatically on the login page after a time-out. The problem here is
that the application does not invalidate your session server side
after a forced logout. Try to investigate what interesting information
are sent on the HTTP requests/responses during the forced logout and
what happen if you click on logout button (if any). Is that case more
On Tue, Feb 23, 2010 at 12:58 PM, Michael Boman
<michael.boman at omegapoint.se> wrote:
> I came across a failure to properly timeout a session. The session times
> out and I am re-directed to the login page, but by pressing "back" on the
> browser got me into the application again which still thought that I was
> logged in.
> My question is what reference number that would be in OWASP testing guide.
> I've been browsing through the guide but haven't been able to pin-point the
> reference number as of yet.
> Perhaps it belongs under OWASP-SM-001, but I am not sure.
> Please advice.
> Best regards
> Michael Boman
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
OWASP-Italy Chair, CISSP, CISA
OWASP Testing Guide lead
More information about the Owasp-testing