i have general question. have web application uses cookies authentication. cookie verified server.
but should in following scenario:
- the user clicks on logout button
- via ajax logout request send server
- the server down or blocked hacker, logout request doesn't through
the question is. should now?
- show error message , keep client logged in (what should say?)
- logout client , show error message (again: should say?)
- logout client , not show message. (in case of hacker attack, hacker can use client authentication token, because server doesn't know anything, client did not notice anything)
hopefully have short session timeout, user logged out anyway after 20 minutes or so.
this sort of opinion based suggestion clear cookies client side if possible - possible if session cookies not httponly, should be. if can't log client out because attacker blocks access logout url then:
yes, show error message keep user informed. after all, account @ risk. along lines of "you not logged out. please try again. if problem persists, please contact us. recommended clear cookies."
so answer question, best response #2, if have session security priority may not possible, have go #1.
Comments
Post a Comment