Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
351 views
in Q2A Core by
I see the session cookie is only valid untill the Session end. But if i close my Browser and restart I still loged in (???) why? How can I make shorter Login Times Background XSS-Attacks won't hurt so much if the user is not always logged in
by
You didn't need to explain XSS to me (I just wanted to make sure you knew what you were asking).

I suggest you *try* an XSS attack on your own Q2A site, then you'll see that it has XSS protection. Changing login times won't affect anything.
by
yeah I guess I was little bit wrong I mean CSFR not simple XSS wich can indeed avoided with proper output filtering.
by
Hmm, well I assume Q2A has CSRF protection as well but I don't know for sure. Maybe try that on your own site and see.
by
FYI, Q2A doesn't currently have CSRF protection. There are no GET requests with side-effects in Q2A, so only POST attacks would be an issue - these are somewhat harder to pull off, but still a possibility.

With CSRF, it's only possible to attack a specific Q2A site, not all Q2A sites in general. So it shouldn't be a major concern unless your site has a very high profile within some specific community, many of whose members also hang out a lot at some other specific site, and where that other site owner is a nasty piece of work.

Still, this should be addressed in a future version.

Please log in or register to answer this question.

...