OWASP Periodic Table of Vulnerabilities - Implicit Logout
Root Cause Summary
Web applications have no simple way to know when a user has browsed away from the site without explicitly logging out. In a shared computing environment, a user can easily access the previous users' sensitive data, even though those users might believe they had performed some action that was the equivalent of logging out (closing the browser, navigating to another site, clicking the home button, etc.).
Browser / Standards Solution
CSP should define a logout page or function which accepts the session token value as a POST parameter (to prevent CSRF logout). If the user no longer has any open pages on the site for any reason, the browser should submit the session token from the session cookie specified by the CSP as a cleanup activity. By default, the browser should also discard any session cookies whenever there are no longer any open pages on the corresponding site(s), as well.
Generic Framework Solution
LONG TERM: Expose a handler for CSP policy.
Custom Framework Solution
Custom Code Solution
Discussion / Controversy