Friday, July 25, 2008

Session Invalidation

Session is the user's key to the application. Once the user logs out of the application, it is very vital to invalidate the session.

I have come across a situation where the session was not invalidated even when I clicked on the Logout button.

This happened to me with the NetGear Wireless router that I use. I logged into the Router Management page and clicked on the logout button present. I was presented with the logged out screen. All was well till I wanted to visit the Management console again. When I accessed the pages, I was presented with the console without prompting for username/password.

Did I do something wrong? May be. Retry again. But it still shows the same. I use Firefox as the default browser. Then I tried with Internet Explorer. This is where the magic came up.



The logout button sends back to logged out confirmation page and this relies on the java script to close the browser. But that javascript fails in Firefox. There are 2 trivial things here:

1. To rely on the javascript to close the browser and not verifying the cross browser functionality.
2. Not invalidating the session once you click on the Logout button.

Now talking about why it is important to invalidate the session once the user clicks on the logout button:


1. Memory utilization: Most of the times, username is not the only data stored in the Session object. There could be some user specific cache that can be put into the sessions as well. The cache could account to good amount of memory. Imagine thousands of sessions created on the server which are waiting to be cleaned up and the memory they could could be hogging.

2. Security Vulnerability: Well, this is kind of tricky. Lets say the user has clicked on the logout button but the application has not invalidated the session. Now, there is some window between the user clicking on the logout and the session invalidated on the server side due to timeout. Now, lets take a session stealing case. This scenario leads to an extra time window which will help the other guy to use the stolen session and change the system. Invalidating the session once the user has logged out would reduce that security risk.

No comments: