Re: Concurrent Sessions and User Feedback

["Chris Saulnier" <chris.saulnier () ns sympatico ca>]

I'm new here, and also inexperienced, so I'm not sure how good these ideas
would be in practice. If this is for a application where only certain people
will have accounts, not a public app where anyone can sign up, then you
could do the following:

If it's a successful login, but the account is locked-out, currently logged
in or if the username and password don't exist, give an error saying please
check your company email, a message has been delivered to you. In which it
will detail the problem with their account, if the account actually existed.
If it is a public application then you could just give an un-helpful message
like there was an error logging in, please contact the admin if you believe
this login should of worked.

Chris Saulnier
http://paladindesign.net



----- Original Message -----
From: "Susan Olson" <olson.susan () excite com>
To: <pen-test () securityfocus com>
Sent: Saturday, April 05, 2003 4:33 PM
Subject: Concurrent Sessions and User Feedback


> I'm looking for words of wisdom/advice/ideas on how to handle this from a
security/"best practices" perspective.
> Basically, I am evaluating a web application that disallows concurrent
sessions; it only allows for one unique logon session to occur at the same
time using just one username/password combination.
> My question.what is the best way to handle "feedback" for users attempting
to access an account that is already logged-on?  Currently, users get a
message stating that the account that they are attempting to use is already
logged-on.  I am not comfortable with this because it lends to the possible
harvesting of valid UserIDs & Passwords by an "evil doer."  Also, I have a
similar issue with the "feedback" given to users when an account is locked
out."Your account is currently locked out, please contact an administrator"
in that I only get this message when I have entered a valid User ID &
Password for an account that is locked out - seems to facilitate harvesting
as well.
> If anyone could provide me with some ideas/strategies, etc. on how to
implement this securely I would greatly appreciate it!
> - Sue
>
>
>
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!
>
> top spam and e-mail risk at the gateway.
> SurfControl E-mail Filter puts the brakes on spam & viruses
> and gives you the reports to prove it. See exactly how much
> junk never even makes it in the door. Free 30-day trial:
> http://www.securityfocus.com/SurfControl-pen-test



top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test