* Jonas Sicking wrote: >> It was brought up by Billy Hoffman (http://zoompf.com) that some web >> applications have very sensitive sessions and they are set up to expire the >> session (ie, log the person out) if a request is received that has no >> session cookie header in it, etc. The assertion was that this type of thing >> would be a potential DoS attack vector, by allowing an unrelated website to >> include a hidden <img rel=anonymous> request in their markup that made a >> request to a site known to log out on such non-cookie requests, and thus >> effectively logging users out of the app without their control/knowledge.
>How will they know which session to expire given that no cookies are >sent and so they can't who the request is coming from? You can expire the client-side part of the session without knowing which session it is, so long as the browser reads the Set-Cookie header in the response. You could simply respond with an expired Set-Cookie header to any request without a Cookie header. The server-side part of the session would remain active, of course, but that makes no difference to users. -- Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/