1. Technical Field
This disclosure relates generally to web application security and in particular to a method and system for secure logout from a machine, such as a web application management device.
2. Background of the Related Art
Service-Oriented Architectures enable the creation of composite applications that are comprised of reusable, loosely-coupled service components. Using the Simple Object Access Protocol (SOAP), Service Oriented Architecture (SOA) clients can invoke web services built atop the eXtensible Markup Language (XML) without explicit support for a wide variety of transport protocols and formats. A SOAP facade that sits in front of a legacy service may be constructed to enable web service virtualization, where clients invoke a virtualized version of the underlying service, thereby mitigating the need to understand intricate details of the service's implementation.
Appliances built purposely for performing traditional middleware service oriented architecture (SOA) functions are becoming more prevalent in certain computer environments. For example, SOA middleware appliances may simplify, help secure or accelerate XML and Web services deployments while extending an existing SOA infrastructure across an enterprise. The move toward middleware appliances that are built purposefully for SOA functions is predicated, at least in part, by the observation that conventional software solutions have increased processing requirements of SOA-based payloads despite the broad functional platforms, flexibility and customization available in conventional software solutions.
The utilization of middleware-purposed hardware and lightweight middleware stacks can address the performance burden experienced by conventional software solutions. In addition, the appliance form-factor provides a secure, consumable packaging for implementing middleware SOA functions. However, the gains achieved by conventional middleware appliances provide a management burden of a new node in the enterprise because each SOA middleware appliance is configured individually and independent of the rest of the middleware infrastructure.
Many web applications implement a generic logout strategy that involves setting a logout timer, issuing an “idle session” warning within a given time period (e.g., 30 seconds) prior to the timeout and, then, after the time period expires, deleting the user's session. Thus, if a user is away from the computer or otherwise inattentive after the warning is issued, the user's session is terminated, after which the application redirects the browser either to a home page or a new login screen. This type of solution works well in some environments, such as a machine being used for web access in a public environment (e.g., a library or a cyber-café). Within a closed environment, however, this type of forced logoff function can be quite frustrating. The problem is exacerbated in a situation where the user has logged in from a trusted zone to administer an appliance, such as an appliance as described above. An appliance of this type typically utilizes numerous objects that must be configured following logoff. In such case, a forced logout (due to inactivity or inattention) deletes all previously-configured data, which requires prompting the user to re-enter that data again. This is a time-consuming and manual process that is highly undesirable, especially when used in the context of an appliance that has a large number of self-sufficient objects that are capable of being administered independently.