Penetration Testing mailing list archives
Concurrent Sessions and User Feedback
From: "Susan Olson" <olson.susan () excite com>
Date: Sat, 5 Apr 2003 14:33:20 -0500 (EST)
Im looking for words of wisdom/advice/ideas on how to handle this from a security/best practices perspective. Basically, I am evaluating a web application that disallows concurrent sessions; it only allows for one unique logon session to occur at the same time using just one username/password combination. My question what is the best way to handle feedback for users attempting to access an account that is already logged-on? Currently, users get a message stating that the account that they are attempting to use is already logged-on. I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by an evil doer. Also, I have a similar issue with the feedback given to users when an account is locked out Your account is currently locked out, please contact an administrator in that I only get this message when I have entered a valid User ID & Password for an account that is locked out seems to facilitate harvesting as well. If anyone could provide me with some ideas/strategies, etc. on how to implement this securely I would greatly appreciate it! - Sue _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.securityfocus.com/SurfControl-pen-test
Current thread:
- Concurrent Sessions and User Feedback Susan Olson (Apr 06)
- RE: Concurrent Sessions and User Feedback Rob Shein (Apr 06)
- Re: Concurrent Sessions and User Feedback Chris Saulnier (Apr 06)
- Re: Concurrent Sessions and User Feedback Daniel Staal (Apr 06)
- Re: Concurrent Sessions and User Feedback Anders Thulin (Apr 07)