[Owasp-testing] Session timeout failure - What ref. number?

Michael Boman michael.boman at omegapoint.se
Wed Feb 24 03:11:12 EST 2010


That sounds like the problem I am trying to describe. Thanks a lot all of you for your feedback.

Best regards
Michael Boman

-----Original Message-----
From: Matteo Meucci [mailto:matteo.meucci at gmail.com] 
Sent: den 23 februari 2010 13:27
To: Michael Boman
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Session timeout failure - What ref. number?

Hi Michael,
you are right. We described the session expiration in OWASP-SM-001 and
OWASP-SM-002.
The first one says to check if the session expires in a reasonable
time submitting the same cookie in different time frames; the second
says to check inside the cookie attributes when the application
response with a Set-cookie directive if there is a setting for date of
expiration.

In your case, maybe you are describing another issue: TESTING FOR
LOGOUT AND BROWSER CACHE MANAGEMENT (OWASP-AT-007).
It seems that the application or maybe a client script redirect you
automatically on the login page after a time-out. The problem here is
that the application does not invalidate your session server side
after a forced logout. Try to investigate what interesting information
are sent on the HTTP requests/responses during the forced logout and
what happen if you click on logout button (if any). Is that case more
suitable?

Thanks,
Mat



On Tue, Feb 23, 2010 at 12:58 PM, Michael Boman
<michael.boman at omegapoint.se> wrote:
>  I came across a failure to properly timeout a session. The session times
> out and I am re-directed to the login page, but by pressing "back" on the
> browser got me into the application again which still thought that I was
> logged in.
> My question is what reference number that would be in OWASP testing guide.
> I've been browsing through the guide but haven't been able to pin-point the
> reference number as of yet.
> Perhaps it belongs under OWASP-SM-001, but I am not sure.
> Please advice.
> Best regards
> Michael Boman
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>



-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide


More information about the Owasp-testing mailing list