Web Application Security
concurrent logins Nov 19 2014 10:30AM
Robin Wood (robin digi ninja) (6 replies)
Re: concurrent logins Nov 19 2014 04:43PM
Seth Art (sethsec gmail com)
Re: concurrent logins Nov 19 2014 02:34PM
James Wright (jamfwright gmail com) (1 replies)
RE: concurrent logins Nov 19 2014 11:22PM
Zaakiy Siddiqui (zaakiy nticon com au)
Re: concurrent logins Nov 19 2014 02:33PM
Matt Konda (mkonda jemurai com)
Re: concurrent logins Nov 19 2014 02:32PM
Arvind (arvind doraiswamy gmail com)
I think the best way to do this is to take a quick step back and look
at the risks in each. That's because there's no 1 right answer here as
you already mentioned.

TLDR 1 - There's really only 2 options - you allow it or you dont.
Allowing means anyone can login (more ease of use) and disallowing is
safer but they cant login (less ease of use). Both have risks as
outlined below. Depends on a lot of things.

1) Allowed everywhere - Any session, stolen by anyone can be misused
anytime from anywhere.

2) Allowed but notifies the user where she is logged in - Same as 1)
except that it alerts the user that they have logged in elsewhere. The
same risks remain though, if the user ignores the message.

3) Dont allow, kick out logged in user - This is dangerous IMO, as if
its an admin session that's hijacked, an attacker could get in -
disable all admin accounts and DOS a lot of things while he makes
merry.

4) Don't allow, lock all out - Same as above...except the risk is
reduced if you also invalidate the session ID used just then and lock
everyone out. DOS risks still remain, just like 3... just a bit
lesser.

5) Same risks as 1) and 2) Isn't this pretty similar to 2)? Is it just
a different, more...in your face display that you're advocating here?

6) Same risks as 1) and 2) AND will be ignored :)...sorry couldn't resist that.

TLDR - Its very very dependent on who your user base is, where you see
logins from, whether business wants users to go right in, specially
with the advent of mobile devices as well.

So I'd go with 5) and periodically say, once a day maybe...remind the
user that they have active sessions....like Gmail does to prompt you
to add a secondary mobile phone once in a way.

Arvind

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: concurrent logins Nov 19 2014 02:13PM
DavidMeans833 (at) air-watch (dot) com [email concealed] (DavidMeans833 air-watch com)
Re: concurrent logins Nov 19 2014 01:17PM
Irene Abezgauz (irene abezgauz gmail com) (1 replies)
RE: concurrent logins Nov 21 2014 08:58AM
Nigel Ball (Nigel K Ball dsl pipex com) (1 replies)
AW: concurrent logins Nov 21 2014 10:20AM
Wolfgang Abbas (wolfgang abbas de)


 

Privacy Statement
Copyright 2010, SecurityFocus