WebApp Sec mailing list archives

Re: Concurrent Sessions and User Feedback

From: Jeremy Poteet <jpoteet () tech-partners com>
Date: Sat, 05 Apr 2003 13:48:08 -0600

Sue,

My concern for harvesting user ids in the two manners you describe is when
applications provide this type of information when only supplied with a user
id.  It sounds like in this application's case, that both a valid login and
password must be provided.  In that case, this feedback can be useful to a
legitimate user of the account, in that they are informed if someone else
may have gained access to the account.

Many systems provide the same feedback you have described when a valid user
id is supplied.  This would be the typical way that user ids can be
harvested.  Login messages such as in this case, registration pages that
report that the user id has already been taken, password reminder screens
that state they do not know a specific user, etc. all can be used in this
manner.

Jeremy Poteet, CISSP
Chief Technology Officer
Technology Partners, Inc.
1-877-636-1331 x105 (toll free)
636-519-1221 x105
http://www.tech-partners.com
  




On 4/5/03 1:11 PM, "Susan Olson" <olson.susan () excite com> wrote:


I?m looking for words of wisdom/advice/ideas on how to handle this from a
security/?best practices? perspective.

Basically, I am evaluating a web application that disallows concurrent
sessions; it only allows for one unique logon session to occur at the same
time using just one username/password combination.

My question?what is the best way to handle ?feedback? for users attempting to
access an account that is already logged-on?  Currently, users get a message
stating that the account that they are attempting to use is already logged-on.
I am not comfortable with this because it lends to the possible harvesting of
valid UserIDs & Passwords by an ?evil doer.?  Also, I have a similar issue
with the ?feedback? given to users when an account is locked out??Your account
is currently locked out, please contact an administrator? in that I only get
this message when I have entered a valid User ID & Password for an account
that is locked out ? seems to facilitate harvesting as well.

If anyone could provide me with some ideas/strategies, etc. on how to
implement this securely I would greatly appreciate it!

- Sue

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

Current thread:

Concurrent Sessions and User Feedback Susan Olson (Apr 05)
- Re: Concurrent Sessions and User Feedback Gabriel Lawrence (Apr 05)
- Re: Concurrent Sessions and User Feedback Jeremy Poteet (Apr 05)