Web Application Security
Re: concurrent logins Nov 21 2014 12:25PM
Robin Wood (robin digi ninja)
On 19 November 2014 15:42, Paul Robinson <paul (at) iconoplex.co (dot) uk [email concealed]> wrote:
> On 19 November 2014 10:30, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> What are peoples opinions on allowing concurrent logins to web apps? I
>> suppose it depends on what the app is used for - forum, admin suite
>> etc - but do the protections from it add more problems that allowing
>> it?
>
>
>
> For consumer applications, having multiple long-lasting sessions per
> customer is the norm because that is consumer expectation (as set by
> Facebook, Twitter, et al).
>
>
>>
>> 2. Allow concurrent logins but report that someone else is logged it -
>> like Gmail does
>
>
>
> I'm a frequent Google apps for domains user, but don't recall ever seeing
> that.

If you are on the web app, look in bottom right, it tells you where
else the account is being used. I've also heard of alerts popups or
emails about logins from odd locations but I've not seen those
personally.

Robin

>
>>
>> 3. Don't allow them and kick out any logged in user when a new one logs in
>
>
>
> That creates terrible issues in the modern World where a user might want a
> long-lasting session on their home PC, work PC, smartphone and tablet.
>
>
>>
>> 5. Give a warning popup when logging in to say the account is in use
>> elsewhere as well
>
>
>
> This can lead to confusion. People who forget that their iPad is logged in
> (or unaware) and who aren't technically sophisticated can easily be misled
> by this and I can see panicked phone calls to younger members of families
> for many applications.
>
>
>>
>> What other options are there? Can it be done in a good way that makes if
>> of any use?
>
>
>
> The market is tending towards 2FA with multiple concurrent sessions that
> last for long periods (weeks or even months), and the consumer having the
> ability to destroy all those other sessions.

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus