RE: Concurrent Sessions and User Feedback

From: Rob Shein (shoten@starpower.net)
Date: 04/06/03

  • Next message: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"
    From: "Rob Shein" <shoten@starpower.net>
    To: <olson.susan@excite.com>, <pen-test@securityfocus.com>
    Date: Sun, 6 Apr 2003 17:55:03 -0400
    
    

    I would say that it would be best only to offer either message if the
    login/password combination were correct. While it does to some extent
    assist someone who is brute-forcing an account, it would only work if they
    already got the correct account...and from what I'm gathering, the system
    locks out accounts that suffer too many failed attempts.

    -----Original Message-----
    From: Susan Olson [mailto:olson.susan@excite.com]
    Sent: Saturday, April 05, 2003 2:33 PM
    To: pen-test@securityfocus.com
    Subject: Concurrent Sessions and User Feedback

    I'm looking for words of wisdom/advice/ideas on how to handle this from a
    security/"best practices" perspective.

    Basically, I am evaluating a web application that disallows concurrent
    sessions; it only allows for one unique logon session to occur at the same
    time using just one username/password combination.

    My question.what is the best way to handle "feedback" for users attempting
    to access an account that is already logged-on? Currently, users get a
    message stating that the account that they are attempting to use is already
    logged-on. I am not comfortable with this because it lends to the possible
    harvesting of valid UserIDs & Passwords by an "evil doer." Also, I have a
    similar issue with the "feedback" given to users when an account is locked
    out."Your account is currently locked out, please contact an administrator"
    in that I only get this message when I have entered a valid User ID &
    Password for an account that is locked out - seems to facilitate harvesting
    as well.

    If anyone could provide me with some ideas/strategies, etc. on how to
    implement this securely I would greatly appreciate it!

    - Sue

    _______________________________________________
    Join Excite! - http://www.excite.com
    The most personalized portal on the Web!

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much junk never even
    makes it in the door. Free 30-day trial:
    http://www.securityfocus.com/SurfControl-pen-test

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.securityfocus.com/SurfControl-pen-test


  • Next message: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"