[Owasp-testing] Session timeout failure - What ref. number?

rick.mitchell at bell.ca rick.mitchell at bell.ca
Tue Feb 23 07:36:34 EST 2010


I'd classify that as session fixation (OWASP-SM-003). Just like a new session identifier should be assigned once a user has successfully authenticated a session identifier should be invalidated if they logout or are forced (via timeout etc) to logout.

http://www.owasp.org/index.php/Testing_for_Session_Fixation_%28OWASP-SM-003%29

Rick

________________________________
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Michael Boman
Sent: February 23, 2010 6:58 AM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Session timeout failure - What ref. number?

 I came across a failure to properly timeout a session. The session times out and I am re-directed to the login page, but by pressing "back" on the browser got me into the application again which still thought that I was logged in.

My question is what reference number that would be in OWASP testing guide. I've been browsing through the guide but haven't been able to pin-point the reference number as of yet.

Perhaps it belongs under OWASP-SM-001, but I am not sure.

Please advice.

Best regards
Michael Boman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100223/fe8d2911/attachment.html 


More information about the Owasp-testing mailing list