WebApp Sec mailing list archives
Re: concurrent logins
From: Stephen de Vries <stephen () continuumsecurity net>
Date: Mon, 24 Nov 2014 09:03:52 +0100
The reason I was thinking about this is the thing I was reading was suggesting to prevent session hijacking that concurrent logins should not be allowed, 2FA stops actual logins but not hijacks.
Session hijacking is only possible after some other vulnerability in the site is exploited, e.g. XSS, or lack of HTTPS. So I would first focus the effort into countermeasures for those vulnerabilities and only afterwards start thinking about secondary countermeasures against session hijacking itself. A countermeasure not yet mentioned is to authenticate specific high risk requests with a password, or PIN. E.g. when initiating a transaction like funds transfer/payment/password change, you could require the user to re-enter the password so that that specific request is authenticated. regards, — Stephen de Vries CTO Continuum Security Mobile: +34 616 33 81 38 UK: +44 20 3137 0944 @stephendv This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Re: concurrent logins, (continued)
- Re: concurrent logins Arvind (Nov 19)
- Re: concurrent logins Seth Art (Nov 19)
- Re: concurrent logins Matt Konda (Nov 19)
- Re: concurrent logins James Wright (Nov 19)
- RE: concurrent logins Zaakiy Siddiqui (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- RE: concurrent logins Martin O'Neal (Nov 19)
- Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Stephen de Vries (Nov 24)
- Re: concurrent logins Robin Wood (Nov 24)