Java Reference
In-Depth Information
the application. he tester should irst check for logout being present on every page of the Web
application, thereby giving the user an option to log out of the application at any time. he tester
should also test for an efective logout mechanism where the user is not able to gain access to an
application without reauthenticating. One of the basic tests that can be carried out is by using
the back button once the user has logged out. If the back button gives the tester access to the
restricted session of the Web application, it is clear that the session management functionality
and the logout functionality have been implemented incorrectly. Another test would be to note
down or copy the session identiier when the tester is authenticated. he tester should try to access
the restricted section of the Web application by setting the session identiier to the value that was
present when he/she was previously authenticated. If the application does not have a tracking
system for nonactive or invalidated sessions, then the user is logged into the application with the
same session ID and it is proven that the logout and session management functionality has been
implemented improperly.
he tester should also check for caching of information in the browser's cache. Web applica-
tions, when logged out, do not automatically erase the cache. Ideally, the Web application should
not be implemented to cache any sensitive information in the user's browser. his may be tested
by viewing the HTTP response headers. he HTTP responses given below display the diference
between cached and noncached pages.
GET / HTTP/1.1
Host: www.example.co.in
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,kn;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
The above example shows the HTTP Response header which caches the web
application's information in the user's browser.
GET /accounts/OfflineManifest HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,kn;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: no-cache, no-cache
Pragma: no-cache, no-cache
Cookie: Locale_session=en; BALX=jiPjFdROPdQ; PREF=ID=9edca9467bac7d0d:TM=
1262660023:LM=1262660023:S=b_FOSYmyQcoMoC7Q; NID=30=GQAx-
4Ubuu8XbSezaawSUXx9FfG-X4NpJsbGEkKehlVVKfIFho7TRyVvdsvA0P_
re9LC7emRnGzVSCRwVMY6N5zXnVmYa1IzTBkQPmEpsoGcjY3abY6k4Spk9c6LEgF0;
TZ=-330
Search WWH ::




Custom Search