Penetration Testing mailing list archives
Re: Concurrent Sessions and User Feedback
From: "Chris Saulnier" <chris.saulnier () ns sympatico ca>
Date: Sun, 6 Apr 2003 19:18:59 -0300
I'm new here, and also inexperienced, so I'm not sure how good these ideas would be in practice. If this is for a application where only certain people will have accounts, not a public app where anyone can sign up, then you could do the following: If it's a successful login, but the account is locked-out, currently logged in or if the username and password don't exist, give an error saying please check your company email, a message has been delivered to you. In which it will detail the problem with their account, if the account actually existed. If it is a public application then you could just give an un-helpful message like there was an error logging in, please contact the admin if you believe this login should of worked. Chris Saulnier http://paladindesign.net ----- Original Message ----- From: "Susan Olson" <olson.susan () excite com> To: <pen-test () securityfocus com> Sent: Saturday, April 05, 2003 4:33 PM Subject: Concurrent Sessions and User Feedback
I'm looking for words of wisdom/advice/ideas on how to handle this from a
security/"best practices" perspective.
Basically, I am evaluating a web application that disallows concurrent
sessions; it only allows for one unique logon session to occur at the same time using just one username/password combination.
My question.what is the best way to handle "feedback" for users attempting
to access an account that is already logged-on? Currently, users get a message stating that the account that they are attempting to use is already logged-on. I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by an "evil doer." Also, I have a similar issue with the "feedback" given to users when an account is locked out."Your account is currently locked out, please contact an administrator" in that I only get this message when I have entered a valid User ID & Password for an account that is locked out - seems to facilitate harvesting as well.
If anyone could provide me with some ideas/strategies, etc. on how to
implement this securely I would greatly appreciate it!
- Sue _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.securityfocus.com/SurfControl-pen-test
top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.securityfocus.com/SurfControl-pen-test
Current thread:
- Concurrent Sessions and User Feedback Susan Olson (Apr 06)
- RE: Concurrent Sessions and User Feedback Rob Shein (Apr 06)
- Re: Concurrent Sessions and User Feedback Chris Saulnier (Apr 06)
- Re: Concurrent Sessions and User Feedback Daniel Staal (Apr 06)
- Re: Concurrent Sessions and User Feedback Anders Thulin (Apr 07)