[WEB SECURITY] invalidating session using ajax
James Landis
el_spood at yahoo.com
Tue Sep 26 22:13:54 EDT 2006
Yes, it would. The typical recommendation for active capturing of implicit logout is to build the application into a frameset, with ONCLOSE handlers attached only to the parent frame. However, some development groups choose to write conditional ONCLOSE handlers which have state information associated with the transition. In many applications, it is not too difficult to enumerate all of the legitimate user actions which could trigger ONCLOSE and adjust the handler accordingly.
-j
----- Original Message ----
From: Cody Caughlan <codyc at jabico.com>
To: Chad Maniccia <wopazar at gmail.com>
Cc: websecurity at webappsec.org
Sent: Tuesday, September 26, 2006 6:18:57 PM
Subject: Re: [WEB SECURITY] invalidating session using ajax
Wouldnt this method also log out the visitor if they were to click on some other link within your
app? The docs for onUnload pretty much call this method at these times:
* Close the current browser window.
* Navigate to another location by entering a new address or selecting a Favorite.
* Click the Back, Forward, Refresh, or Home button.
* Click on an anchor that refers the browser to another Web page.
* Invoke the anchorclick method.
* Invoke the documentwrite method.
* Invoke the documentopen method.
* Invoke the documentclose method.
* Invoke the windowclose method.
* Invoke the windowopen method, providing the possible value _self for the window name.
* Invoke the windownavigate or NavigateAndFind method.
* Invoke the locationreplace method.
* Invoke the locationreload method.
* Specify a new value for the locationhref property.
* Submit a form to the address specified in the ACTION attribute via the INPUT type=submit
control, or invoke the submit method.
That pretty much covers it all. Throwing the baby out with the bathwater?
/Cody
Chad Maniccia wrote:
> You dont need to use Ajax to do this but you can.
>
> <body onUnload="unload()">
>
> or on a frameset
>
> <frameset onUnload="unload()">
>
> function unload() {
> window.open('/logouturl');
>
> or
>
> var http = new ActiveXObject("Microsoft.XMLHTTP");
> try{
> http.Open('GET', '/logouturl', false);
> http.send();
> }
>
>
>
>
> }
>
>
>
>
> From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com]
> Sent: Tuesday, September 26, 2006 4:52 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] invalidating session using ajax
>
>
> Hi everyone
>
>
>
> I am trying to invalidate a session on my server using Ajax when a
> user closes the browser or moves on to some other webpage outside the
> site.
>
>
>
> Any suggestions???
>
>
>
> thx
>
> anurag
>
> ----------------------------------------------------------------------------
>
> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list