RE: Logout

On Wed, 3 Jan 2001, Tom McLaren wrote:

> I agree that a "logout" type button should certainly be implemented. I'm
> interested in your choice of words however, naming the non-provision of an
> HTTP server cache clearance request as a security hole. In my opinion it is
> the responsibility of the site to provide some form of timeout security. To
> provide an HTTP type clearance of the cache is exposing the agent to what
> amounts to control by a third party. Surely this would constitute a greater
> threat to security and not be a road to wander down without serious
> consideration of the potential future implications?

Any control provided to the server should of course be scoped to the data
'owned' by that server, hence no security exposure. Likewise, it should be
possible for a user to expunge ALL data cached from their session, login
credentials, cookies, pages etc. It should be possible for the 'owner' of
the user agent installation to configure the UA to peform this function
automatically when closed, etc.  Again not a security issue if the action
is performed by or directly on behalf of the human user.

And of course, any well designed web application will implement a timeout
stragegy because they can't trust the other end.  Unfortunately short
timeouts which improve security have the strong potential for very
frustrated users who happen to be interrupted by a phone call or other
task while in the middle of an interaction.

Dave Morris

Received on Wednesday, 3 January 2001 10:16:56 UTC