[talk] Cyber False Login

Sujit K M kmsujit at gmail.com
Thu Dec 28 03:17:08 EST 2017


On Thu, Dec 28, 2017 at 10:13 AM, John Weintraub
<johnweintraub at gmail.com> wrote:
> Hi Sujit;
>
> I'd think that the site A or B or both have some auto-logoff feature, where
> after not very long, if no activity is detected, the user is logged out.
> This could be, say three to five minutes of inactivity. I know that would
> create some vulnerability, but that's a pretty narrow window in which to
> hack a website. And for my money, I think it would be site A that would have
> the auto-logoff feature, which might be as simple as a script telling site B
> to log out the inactive user.
>

Another way to look at it is since A calls B and B knows A is the One
that is authenticated.
It doesn't let Another Site C To use the authentication owned by A.



More information about the talk mailing list