[Owasp-testing] Addition to "Testing for logout functionality (OTG-SESS-006)"
lode at vanstechelman.eu
Tue Sep 16 10:46:01 UTC 2014
I'm not sure if it can still be added to the TestingGuide v4, but I have
added a paragraph to the "Testing for logout functionality (OTG-SESS-006)"
I find it important since the weakness described on this wiki page is
present in all ASP.NET versions when using Form Authentication, what is
commonly used in web applications.
Therefore I think it would be good if it could still be added to v4.
For those interested: the weakness in ASP.NET is standard textbook: on
logout, the cookie in the browser is removed, but the cookie value can be
reused to gain access to the authenticated session. See links  and 
 "The FormsAuthentication.SignOut method does not prevent cookie reply
attacks in ASP.NET applications" -
 "Cookie replay attacks in ASP.NET when using forms authentication" -
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing