Session not timing out when browsing away from application

Continuing with Web Application Vulnerabilities today I will describe why is it important to abandon the session once a logged in user browses away from the site without logging out and thus the associated SessionID is not terminated in a timely manner. If the user is working on a shared computer and does not log out of the application or close the browser, but simply browses to another web site, then the following user will be able simply browse back to the previous session. This can be exploited by a malacious user who can reuse the session and can cause serious damage to the user data. many a times users forget to log out. An attacker may be able to gain access to the same browser session soon after the user has
left the computer, and hence gain access to the application. A simple solution can be designed to prevent this. One thing which is important to note is asp .net applications by default use a 20 minute session timeout on sliding expiration. However still the SessionIDs should be terminated the moment the browser is used for external sites.  In order to log the user off once the user starts navigating away from the application can make use of master pages with two html frames. The application should reside in the main frame, which the user will browse. There can be an invisible frame with a javascript that gets called when the user browses away from the App. Essentially the script makes an Ajax logout request as soon as the user navigates away from the application. This in turn will abandon the user’s session and log the user off.   

One Response to “Session not timing out when browsing away from application”

  1. Brent Humber Says:

    Where could I find the code to do this?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: