Web Application Security
Re: concurrent logins Nov 21 2014 12:30PM
Robin Wood (robin digi ninja)
On 19 November 2014 18:22, Rogan Dawes <rogan (at) dawes.za (dot) net [email concealed]> wrote:
> You have been logged out, because someone has just logged in using your
> username and password. If this was you, please ignore this message.
>
> Otherwise, please change your password immediately, and contact our security
> department at xxx-yyy-zzzz.
>
> Styled in red to gain attention and differentiate from a session timeout,
> hopefully should be alarming enough to get attention.

If it were only that easy then bad SSL certs would have been
eliminated a long time ago :)

Robin

>
> On 19 Nov 2014 16:19, "Robin Wood" <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> That is my number 3 but giving a warning when logging them out. Could
>> still result in a DoS and you'd have to either write very good copy on
>> the warning or train users what to do when that happens as I reckon
>> most would just click OK and then log back in again.
>>
>> Robin
>>
>> On 19 November 2014 14:14, Rogan Dawes <rogan (at) dawes.za (dot) net [email concealed]> wrote:
>> > Think you missed:
>> >
>> > 7. Log the new session in, warn that another session was active,
>> > terminate
>> > the old session.
>> >
>> > Seems to have all the desired properties.
>> >
>> > o Can't deny access to the account to someone with legit credentials.
>> > o Prevent concurrent sessions
>> > o Inform of concurrent sessions
>> > o If the attacker logs in second, the legit user is informed that
>> > another
>> > session was created, and that is the reason they were kicked out. This
>> > should be an alarm bell, if they had not tried to authenticate at the
>> > time.
>> >
>> > Rogan
>> >
>> > On 19 Nov 2014 12:30, "Robin Wood" <robin (at) digi (dot) ninj [email concealed]a> wrote:
>> >>
>> >> What are peoples opinions on allowing concurrent logins to web apps? I
>> >> suppose it depends on what the app is used for - forum, admin suite
>> >> etc - but do the protections from it add more problems that allowing
>> >> it?
>> >>
>> >> Solutions I can see are:
>> >>
>> >> 1. Allow concurrent logins
>> >> 2. Allow concurrent logins but report that someone else is logged it -
>> >> like Gmail does
>> >> 3. Don't allow them and kick out any logged in user when a new one logs
>> >> in
>> >> 4. Don't allow them and lock out all new logins till old ones have
>> >> logged
>> >> out
>> >> 5. Give a warning popup when logging in to say the account is in use
>> >> elsewhere as well
>> >> 6. Allow but report back to an admin or log tracker or similar
>> >>
>> >> 1 is the default in most cases.
>> >> 2 is a good idea but really, how many people look at the little thing
>> >> in Gmail which says where else the account is logged in from, I don't
>> >> and I'm sure normal users don't even know it exists.
>> >> 3. Good but if an attacker gets creds or a reliable session hijack
>> >> then they can use them to DoS legit users by keep logging them out.
>> >> 4. Good but if an attacker gets in they can keep the account active
>> >> and so DoS the real user by never letting them log in.
>> >> 5. Maybe the best option but only works in the legit user logs in
>> >> second otherwise the attacker gets the warning and ignores it.
>> >> 6. Good one if people are watching the logs and can act on them.
>> >>
>> >> What other options are there? Can it be done in a good way that makes
>> >> if of any use?
>> >>
>> >> Robin
>> >>
>> >>
>> >>
>> >> This list is sponsored by Cenzic
>> >> --------------------------------------
>> >> Let Us Hack You. Before Hackers Do!
>> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> >> Request Yours Now!
>> >> http://www.cenzic.com/2009HClaunch_Securityfocus
>> >> --------------------------------------
>> >>
>> >

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus