Web application security

Tag: web-applications , session , cookies Author: zhuroufanzi Date: 2010-10-26

I am testing a web application for security issues and I came across the following scenario:

  1. User logs in to application. Application sets session cookies in browser.
  2. User disables cookies in the browser while still authenticated. I know this sounds strange, but perhaps the user's browser is being exploited in some way.
  3. User logs out, but application is unable to unset the session cookies in the browser. Application does not issue a warning about this to the user and behaves as if he is properly logged out.
  4. Session cookies of the application, which have an expiry time of one hour since the last request, are left the in the browser for another user to exploit.

My question is, should this be considered a vulnerability in the application or is the whole scenario too far fetched to worry about? My take is that since the app relies exclusively on cookies for authentication and session management, it is the app's responsibility to warn the user about being unable to unset the cookies during logout and instruct the user to manually clear cookies to be safe.

Appreciate the responses!

I believe this is a valid test and the application should warn the user. IMO, no test is ever too far fetched. =P

Other Answer1

If something the user does can undermine your security system then there is a security hole.

In this case I would suggest that the server keep a list (DB table or other pesistant store) of set cookies and when the user logs out delete their cookie from the list. If you later see the cookie it won't be accepted because it is not on the list.