WebApp Sec mailing list archives
Re: Concurrent Sessions and User Feedback
From: Jeremy Poteet <jpoteet () tech-partners com>
Date: Sat, 05 Apr 2003 13:48:08 -0600
Sue, My concern for harvesting user ids in the two manners you describe is when applications provide this type of information when only supplied with a user id. It sounds like in this application's case, that both a valid login and password must be provided. In that case, this feedback can be useful to a legitimate user of the account, in that they are informed if someone else may have gained access to the account. Many systems provide the same feedback you have described when a valid user id is supplied. This would be the typical way that user ids can be harvested. Login messages such as in this case, registration pages that report that the user id has already been taken, password reminder screens that state they do not know a specific user, etc. all can be used in this manner. Jeremy Poteet, CISSP Chief Technology Officer Technology Partners, Inc. 1-877-636-1331 x105 (toll free) 636-519-1221 x105 http://www.tech-partners.com On 4/5/03 1:11 PM, "Susan Olson" <olson.susan () excite com> wrote:
I?m looking for words of wisdom/advice/ideas on how to handle this from a security/?best practices? perspective. Basically, I am evaluating a web application that disallows concurrent sessions; it only allows for one unique logon session to occur at the same time using just one username/password combination. My question?what is the best way to handle ?feedback? for users attempting to access an account that is already logged-on? Currently, users get a message stating that the account that they are attempting to use is already logged-on. I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by an ?evil doer.? Also, I have a similar issue with the ?feedback? given to users when an account is locked out??Your account is currently locked out, please contact an administrator? in that I only get this message when I have entered a valid User ID & Password for an account that is locked out ? seems to facilitate harvesting as well. If anyone could provide me with some ideas/strategies, etc. on how to implement this securely I would greatly appreciate it! - Sue _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Current thread:
- Concurrent Sessions and User Feedback Susan Olson (Apr 05)
- Re: Concurrent Sessions and User Feedback Gabriel Lawrence (Apr 05)
- Re: Concurrent Sessions and User Feedback Jeremy Poteet (Apr 05)