Web Application Security
Re: concurrent logins Nov 24 2014 08:03AM
Stephen de Vries (stephen continuumsecurity net) (1 replies)
> The reason I was thinking about this is the thing I was reading was
> suggesting to prevent session hijacking that concurrent logins should
> not be allowed, 2FA stops actual logins but not hijacks.

Session hijacking is only possible after some other vulnerability in the site is exploited, e.g. XSS, or lack of HTTPS. So I would first focus the effort into countermeasures for those vulnerabilities and only afterwards start thinking about secondary countermeasures against session hijacking itself.
A countermeasure not yet mentioned is to authenticate specific high risk requests with a password, or PIN. E.g. when initiating a transaction like funds transfer/payment/password change, you could require the user to re-enter the password so that that specific request is authenticated.


Stephen de Vries
CTO Continuum Security
Mobile: +34 616 33 81 38
UK: +44 20 3137 0944

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]
Re: concurrent logins Nov 24 2014 10:37AM
Robin Wood (robin digi ninja)


Privacy Statement
Copyright 2010, SecurityFocus