- From: Josh Cohen <josh@netscape.com>
- Date: Tue, 29 Apr 1997 00:02:06 -0700 (PDT)
- To: Michael Giroux <mgiroux@worldnet.att.net>
- Cc: "'http-wg@cuckoo.hpl.hp.com'" <http-wg@cuckoo.hpl.hp.com>
Hi Mike, I understand the problme you are trying to solve, but I see a large number of difficulties with the method which you are trying to solve it. > The problem that occurs is that some users do not press the logout button. > When this occurs, the mainframe must hold the resources associated with the > context until the timeout occurs. In some cases, this involves holding > database resources and memory resources that impact overall system > performance. A malicious user might even mount a denial of service attack > by starting many sessions. > 1 On the D.O.S. attack, I dont really see how this helps. In mounting any serious attack, the attacker would be smart to write a small client program to produce many sessions, assuming it could defeat a duplicate IP addr check ( multi session same client ), it could simply choose never to honor your endsession url.. 2 What about people like me who leave their browsers running forever, I just lock my screen at night, etc.. The endession would never get executed. 3 Dont cookies often persist longer than the 'browser session' ? ie stored in the cookie file? SHould the browser delete the cookie on shutdown ? 4. What is the method which the endsession URL should be submitted? POST, GET? What is the browser to do with the response? 5. Security. Gee, this sounds like a nice way for a site to induce a client to access an abritrary URL at shutdown. What if the URL is a file containing Java, ActiveX or the like ? ----------------------------------------------------------------------------- Josh Cohen Netscape Communications Corp. Netscape Fire Department "Mighty Morphin' Proxy Ranger" Server Engineering josh@netscape.com http://home.netscape.com/people/josh/ -----------------------------------------------------------------------------
Received on Monday, 28 April 1997 00:05:39 UTC