WebApp Sec mailing list archives

Re: concurrent logins

From: Stephen de Vries <stephen () continuumsecurity net>
Date: Mon, 24 Nov 2014 09:03:52 +0100

The reason I was thinking about this is the thing I was reading was
suggesting to prevent session hijacking that concurrent logins should
not be allowed, 2FA stops actual logins but not hijacks.



Session hijacking is only possible after some other vulnerability in the site is exploited, e.g. XSS, or lack of HTTPS. 
 So I would first focus the effort into countermeasures for those vulnerabilities and only afterwards start thinking 
about secondary countermeasures against session hijacking itself.  
A countermeasure not yet mentioned is to authenticate specific high risk requests with a password, or PIN.  E.g. when 
initiating a transaction like funds transfer/payment/password change, you could require the user to re-enter the 
password so that that specific request is authenticated.

regards,


—
Stephen de Vries
CTO Continuum Security
Mobile: +34 616 33 81 38
UK: +44 20 3137 0944
@stephendv




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

Re: concurrent logins, (continued)
- Re: concurrent logins Arvind (Nov 19)
- Re: concurrent logins Seth Art (Nov 19)
- Re: concurrent logins Matt Konda (Nov 19)
- Re: concurrent logins James Wright (Nov 19)
  - RE: concurrent logins Zaakiy Siddiqui (Nov 19)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- RE: concurrent logins Martin O'Neal (Nov 19)
  - Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Stephen de Vries (Nov 24)
  - Re: concurrent logins Robin Wood (Nov 24)