Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
760 views
in Q2A Core by
I see the session cookie is only valid untill the Session end. But if i close my Browser and restart I still loged in (???) why? How can I make shorter Login Times Background XSS-Attacks won't hurt so much if the user is not always logged in
by
Do you know what XSS is? Have you tried an XSS attack on your site?
by
Yes if the users browser executes foreign javascript in the security context of my site.

Example from wikipedia (Number 6 is only possible if Alice is logged in into Bob's Site

1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information.
    
2. Mallory observes that Bob's website contains a reflected XSS vulnerability.

3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website (either directly or through an iframe or ajax), but will contain Mallory's malicious code, which the website will reflect.
    
4. Alice visits the URL provided by Mallory while logged into Bob's website.
    
5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory.


6. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge.


knowing this I think the remeber me function on websites is generally a bad idea


no I never tried an xss attack :)

regards,
temi
by
You didn't need to explain XSS to me (I just wanted to make sure you knew what you were asking).

I suggest you *try* an XSS attack on your own Q2A site, then you'll see that it has XSS protection. Changing login times won't affect anything.
by
yeah I guess I was little bit wrong I mean CSFR not simple XSS wich can indeed avoided with proper output filtering.
by
Hmm, well I assume Q2A has CSRF protection as well but I don't know for sure. Maybe try that on your own site and see.
by
FYI, Q2A doesn't currently have CSRF protection. There are no GET requests with side-effects in Q2A, so only POST attacks would be an issue - these are somewhat harder to pull off, but still a possibility.

With CSRF, it's only possible to attack a specific Q2A site, not all Q2A sites in general. So it shouldn't be a major concern unless your site has a very high profile within some specific community, many of whose members also hang out a lot at some other specific site, and where that other site owner is a nasty piece of work.

Still, this should be addressed in a future version.

Please log in or register to answer this question.

...