W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: HTTP State Management Mechanism (Rev1): EndSession attribute

From: Josh Cohen <josh@netscape.com>
Date: Tue, 29 Apr 1997 00:02:06 -0700 (PDT)
To: Michael Giroux <mgiroux@worldnet.att.net>
Cc: "'http-wg@cuckoo.hpl.hp.com'" <http-wg@cuckoo.hpl.hp.com>
Message-Id: <Roam.SIMC.2.0.6.862297326.12111.josh@netscape.com>
Hi Mike,

	I understand the problme you are trying to solve, but I see
a large number of difficulties with the method which you are trying to
solve it.

> The problem that occurs is that some users do not press the logout button. 
>  When this occurs, the mainframe must hold the resources associated with the 
> context until the timeout occurs.  In some cases, this involves holding 
> database resources and memory resources that impact overall system 
> performance.  A malicious user might even mount a denial of service attack
> by  starting many sessions.
> 
1 On the D.O.S. attack, I dont really see how this helps.  In mounting
any serious attack, the attacker would be smart to write a small
client program to produce many sessions, assuming it could
defeat a duplicate IP addr check ( multi session same client ),
it could simply choose never to honor your endsession url..

2 What about people like me who leave their browsers running forever,
I just lock my screen at night, etc..  The endession would never
get executed.

3 Dont cookies often persist longer than the 'browser session' ?
ie stored in the cookie file?  SHould the browser delete the cookie
on shutdown ?

4. What is the method which the endsession URL should be submitted?
POST, GET?  What is the browser to do with the response?

5. Security.
Gee, this sounds like a nice way for a site to induce a client
to access an abritrary URL at shutdown.   What if the URL is a 
file containing Java, ActiveX or the like ?




-----------------------------------------------------------------------------
Josh Cohen				        Netscape Communications Corp.
Netscape Fire Department	     	       "Mighty Morphin' Proxy Ranger"
Server Engineering
josh@netscape.com                       http://home.netscape.com/people/josh/
-----------------------------------------------------------------------------
Received on Monday, 28 April 1997 00:05:39 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:35 EDT