Reputation: 111
Web application security
I am testing a web application for security issues and I came across the following scenario:
- User logs in to application. Application sets session cookies in browser.
- User disables cookies in the browser while still authenticated. I know this sounds strange, but perhaps the user's browser is being exploited in some way.
- User logs out, but application is unable to unset the session cookies in the browser. Application does not issue a warning about this to the user and behaves as if he is properly logged out.
- Session cookies of the application, which have an expiry time of one hour since the last request, are left the in the browser for another user to exploit.
My question is, should this be considered a vulnerability in the application or is the whole scenario too far fetched to worry about? My take is that since the app relies exclusively on cookies for authentication and session management, it is the app's responsibility to warn the user about being unable to unset the cookies during logout and instruct the user to manually clear cookies to be safe.
Appreciate the responses!
Upvotes: 1
Views: 113
Answers (1)
Reputation: 736
If something the user does can undermine your security system then there is a security hole.
In this case I would suggest that the server keep a list (DB table or other pesistant store) of set cookies and when the user logs out delete their cookie from the list. If you later see the cookie it won't be accepted because it is not on the list.
Upvotes: 1
Related Questions
- Security Concerns regarding session cookies
- Web application log in security implementation in maintaining sessions
- avoid session hijacking for Web Applications
- Web application security
- Session fixation with session in cookies
- Questions about cookies and sessions in ASP.net application
- Session, cookies and Security
- Java Web App Security using Cookies
- Evaluation: odd session management in web-based application
- Securing Cookie Based Authentication