[Owasp-testing] Testing for logout functionality (OTG-SESS-006)

Simon owasp at 31337.it
Mon Dec 14 19:51:05 UTC 2015


On 12/14/2015 04:48 PM, Simon wrote:
> So the real vulnerability would be the disclosure of the session cookie
> - not the use of a cookie session store.
> 
> I think this should be made clear.

I'd like to add that webappsec (imho) correctly treats the cookie theft
as vulnerability, and does not create constraints on how the session
should be handled.

[1]
http://projects.webappsec.org/w/page/13246944/Insufficient%20Session%20Expiration


More information about the Owasp-testing mailing list