[Owasp-testing] Testing for logout functionality (OTG-SESS-006)
owasp at 31337.it
Mon Dec 14 19:51:05 UTC 2015
On 12/14/2015 04:48 PM, Simon wrote:
> So the real vulnerability would be the disclosure of the session cookie
> - not the use of a cookie session store.
> I think this should be made clear.
I'd like to add that webappsec (imho) correctly treats the cookie theft
as vulnerability, and does not create constraints on how the session
should be handled.
More information about the Owasp-testing