Penetration Testing mailing list archives

RE: Concurrent Sessions and User Feedback

From: "Rob Shein" <shoten () starpower net>
Date: Sun, 6 Apr 2003 17:55:03 -0400

I would say that it would be best only to offer either message if the
login/password combination were correct.  While it does to some extent
assist someone who is brute-forcing an account, it would only work if they
already got the correct account...and from what I'm gathering, the system
locks out accounts that suffer too many failed attempts.

-----Original Message-----
From: Susan Olson [mailto:olson.susan () excite com] 
Sent: Saturday, April 05, 2003 2:33 PM
To: pen-test () securityfocus com
Subject: Concurrent Sessions and User Feedback

I'm looking for words of wisdom/advice/ideas on how to handle this from a
security/"best practices" perspective.  

Basically, I am evaluating a web application that disallows concurrent
sessions; it only allows for one unique logon session to occur at the same
time using just one username/password combination.  

My question.what is the best way to handle "feedback" for users attempting
to access an account that is already logged-on?  Currently, users get a
message stating that the account that they are attempting to use is already
logged-on.  I am not comfortable with this because it lends to the possible
harvesting of valid UserIDs & Passwords by an "evil doer."  Also, I have a
similar issue with the "feedback" given to users when an account is locked
out."Your account is currently locked out, please contact an administrator"
in that I only get this message when I have entered a valid User ID &
Password for an account that is locked out - seems to facilitate harvesting
as well.  

If anyone could provide me with some ideas/strategies, etc. on how to
implement this securely I would greatly appreciate it! 

- Sue

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much junk never even
makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test

Current thread:

Concurrent Sessions and User Feedback Susan Olson (Apr 06)
- RE: Concurrent Sessions and User Feedback Rob Shein (Apr 06)
- Re: Concurrent Sessions and User Feedback Chris Saulnier (Apr 06)
- Re: Concurrent Sessions and User Feedback Daniel Staal (Apr 06)
- Re: Concurrent Sessions and User Feedback Anders Thulin (Apr 07)