OWASP Annotated Application Security Verification Standard
latest

Browse by chapter:

  • v1 Architecture, design and threat modelling
  • v2 Authentication verification requirements
  • v3 Session management verification requirements
    • 3.1 Uses default session management
    • 3.2 Sessions are invalidated on user log out
    • 3.3 Session times out after inactivity
    • 3.4 Session has absolute timeout
    • 3.5 Shows logout link
      • General
    • 3.6 Does not disclose session id
    • 3.7 Session id is changed on login
    • 3.10 Session ids may only come from framework
    • 3.11 Session tokens are sufficiently long and random
    • 3.12 Session cookies have appropriately restricted paths
    • 3.16 Does not permit duplicate concurrent user sessions from different machines
    • 3.17 User can see and terminate all his sessions
    • 3.18 User is prompted for session termination on password change
  • v4 Access control verification requirements
  • v5 Malicious input handling verification requirements
  • v6 Output encoding / escaping
  • v7 Cryptography at rest verification requirements
  • v8 Error handling and logging verification requirements
  • v9 Data protection verification requirements
  • v10 Communications security verification requirements
  • v11 HTTP security configuration verification requirements
  • v12 Security configuration verification requirements
  • v13 Malicious controls verification requirements
  • v14 Internal security verification requirements
  • v15 Business logic verification requirements
  • v16 Files and resources verification requirements
  • v17 Mobile verification requirements
  • v18 Web services verification requirements
  • v19 Configuration

Browse by level:

  • Level 1: Opportunistic
  • Level 2: Standard
  • Level 3: Advanced
OWASP Annotated Application Security Verification Standard
  • Docs »
  • v3 Session management verification requirements »
  • 3.5 Shows logout link
  • Edit on GitHub

3.5 Shows logout link¶

Verify that all pages that require authentication have easy and visible access to logout functionality.

Levels: 1, 2, 3

General¶

Check that the application provides a logout button and that this button is present and well visible on all pages that require authentication. A logout button that is not clearly visible, or that is present only on certain pages, poses a security risk, as the user might forget to use it at the end of his/her session.
  • OWASP: Testing for Logout and Browser Cache Management (OWASP-AT-007)

Note that for larger applications it may be difficult to test all pages, try to find different areas or application flows of the application and check each one briefly.

Next Previous

© Copyright 2015, Boy Baukema. Revision 471fcb0a.

Built with Sphinx using a theme provided by Read the Docs.