Web Application Security
RE: concurrent logins Nov 19 2014 01:32PM
Martin O'Neal (martin oneal corsaire com) (1 replies)
Re: concurrent logins Nov 19 2014 01:53PM
Robin Wood (robin digi ninja)
In theory I like the idea of reporting to the user that the account is
already in use but just think in practice it will be like the broken
SSL cert warning, people just click through it. Maybe not as much in
corporate environments but for home users you'd have to come up with
some very good copy to go in the popup so they understood it.

Some way to audit it and a good way to detect anomalies would be good,
I've not looked but wonder if there are any good libraries available
for it as I doubt most companies will have the development time or
skill to create something that does it well.

Feels like another case of real world vs ideal world.

The reason I was asking is a report template I'm using highlights it
as an issue but I would only likely mention it for a mission critical
app where they already have plenty of other protections in place and
this would add a nice extra.


On 19 November 2014 13:32, Martin O'Neal <martin.oneal (at) corsaire (dot) com [email concealed]> wrote:
> For us, this is mostly about context. For all sites, some mechanism to report multiple logins back to the user is important for transparency, as is an audit trail entry.
> But actually enforcing a single login is only really relevant to applications containing sensitive data.
> Martin...
> ----------------------------------------------------------------------
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited. If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER: Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, Head office: Unit 2 Grosvenor Court, Hipley Street,
> Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
> Registered in England No. 3338312. Registered office: Communication
> House, Victoria Avenue, Camberley, Surrey GU15 3HX

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus