The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

the primary session token. If a per-page token is received out of

sequence, then the entire session is invalidated. Suppose that you dis-

cover some defect that enables you to predict or capture the tokens

issued to other users who are currently accessing the application. Are

you able to hijack their sessions?

5. You log in to an application and the server sets the following cookie:

Set-cookie: sess=ab11298f7eg14;

When you click the logout button, this causes the following client-side

script to execute: 

document.cookie=”sess=”;

document.location=”/“;

What conclusion would you draw from this behavior?