WebApp Sec mailing list archives
Re: Single terminal login
From: Matt Wirges <wirges () purdue edu>
Date: Mon, 16 Feb 2004 10:03:53 -0500
stevenr () mastek com wrote:
HiI have worked with web based applications since quite some time. One issue to which I have not found a satisfactory answer yet is that of a problem with Single Terminal Login in a web based application. By Single Terminal Login, I mean that if one user logs into a web application (say JSP based), s/he should not be able to login from another machine or even another browser from the same machine. This can be achieved easily by setting a "logged in" flag on the server side using a DB or LDAP etc. When the user clicks on the Logout link, the flag is reset and only then the user can login from another browser/window. Now the hitch. If the user closes the browser directly, or the power goes out, or browser hangs and has to be killed, the flag remains as "logged in". In short user cannot login into the system again. The one workaround used commonly, is setting a timeout after which the user can login again, where a "last active time" is maintained for each user. Every login request is cross-checked against this time and if the difference is greater than some threshold value, the user is able to login again. But this means that everytime the user does something the "last active
time" will have to be updated, which will be expensive in a high traffic site. Also, the threshold value is always a hot topic of debate :-)
Does anyone know a better or a different approach to this? Would be helpful if someone knows some site/papers for this. Have googled but havent come across any myself. - Steve"He who laughs last probably made a backup..."MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve,What we've done in the past on a few applications is simply close the old session the next time the user logs in. For example, one of the applications I worked on is a web interface for incident response. One of its features is time tracking to see how long a responder has worked on an incident. So if the responder closes his web browser or his session expires, i.e. he doesn't log out via the application, the session remains active in the session table until the next time he logs in. When the user logs in again, the system asks him to enter the time when he last used it and then closes the session updating it with his logout time and initiates the new session.
In other applications I've simply just auto-closed the session when a new login is detected.
-matt -- Matthew Wirges IT Security and Policy Analyst Security and Policy Information Technology at Purdue wirges () purdue edu :: (765)49-62307 www.itap.purdue.edu/security
Current thread:
- Single terminal login stevenr (Feb 15)
- Re: Single terminal login Martin Tsachev (Feb 15)
- Re: Single terminal login Matt Wirges (Feb 16)
- Message not available
- Re: Single terminal login urbn (Feb 16)
- Message not available
- <Possible follow-ups>
- RE: Single terminal login stevenr (Feb 16)
- Re: Single terminal login lists AT dawes DOT za DOT net (Feb 17)
- Re: Single terminal login Ingo Struck (Feb 18)
- Re: Single terminal login lists AT dawes DOT za DOT net (Feb 17)
- RE: Single terminal login Michael Silk (Feb 17)
- RE: Single terminal login stevenr (Feb 17)
- RE: Single terminal login Michael Silk (Feb 17)