[jira] [Commented] (KNOX-571) UI Web pages should have a way to logout

Tue, 21 Jul 2015 14:22:01 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14635831#comment-14635831
 ] 

Jeffrey E  Rodriguez commented on KNOX-571:
-------------------------------------------

In my design, Knox provides this as a contributor/filter which any UI can use 
or decide no to use. 
So whoever (the web application or Knox) does the  login ( authentication), it 
has to also do the logout.
Lets say there is an application that is doing its own login, then they don't 
need to hook the authentication (Shiro filter), and can comment that out in the 
topology, then they can do login and logout since they own their session.
In the other hand if Knox is doing the authentication (login) it needs to 
support logout.

The fact that  open source UI don't have a "sign out" (logout), doesn't mean 
they don't need one.
So the discussion should be, if Knox will provide a proxy to any Web interface 
UI, where do we do the logout (expiration of session).

There is no discussion that logout is needed if you have a web interface. Most 
serious web security professionals would say so, and most web scanning tools 
will flag any web interface which doesn't have a logout (or equivalent to 
expire session).


> UI Web pages should have a way to logout
> ----------------------------------------
>
>                 Key: KNOX-571
>                 URL: https://issues.apache.org/jira/browse/KNOX-571
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 0.7.0
>         Environment: Redhat/Windows
>            Reporter: Jeffrey E  Rodriguez
>             Fix For: 0.7.0
>
>         Attachments: knox_logout_design.jpg
>
>
> UI using Knox as a proxy should have  a way to define a logout so Browser to 
> Knox session is invalidated and user is challenged for Authentication. This 
> is a web security requirement to prevent session hijacking attacks.
> References
> https://www.owasp.org/index.php/Session_hijacking_attack
> https://owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-007%29



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to