RE: Concurrent Sessions and User Feedback

From: Rob Shein (shoten@starpower.net)
Date: 04/06/03

  • Next message: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"
    From: "Rob Shein" <shoten@starpower.net>
    To: <olson.susan@excite.com>, <pen-test@securityfocus.com>
    Date: Sun, 6 Apr 2003 17:55:03 -0400
    
    

    I would say that it would be best only to offer either message if the
    login/password combination were correct. While it does to some extent
    assist someone who is brute-forcing an account, it would only work if they
    already got the correct account...and from what I'm gathering, the system
    locks out accounts that suffer too many failed attempts.

    -----Original Message-----
    From: Susan Olson [mailto:olson.susan@excite.com]
    Sent: Saturday, April 05, 2003 2:33 PM
    To: pen-test@securityfocus.com
    Subject: Concurrent Sessions and User Feedback

    I'm looking for words of wisdom/advice/ideas on how to handle this from a
    security/"best practices" perspective.

    Basically, I am evaluating a web application that disallows concurrent
    sessions; it only allows for one unique logon session to occur at the same
    time using just one username/password combination.

    My question.what is the best way to handle "feedback" for users attempting
    to access an account that is already logged-on? Currently, users get a
    message stating that the account that they are attempting to use is already
    logged-on. I am not comfortable with this because it lends to the possible
    harvesting of valid UserIDs & Passwords by an "evil doer." Also, I have a
    similar issue with the "feedback" given to users when an account is locked
    out."Your account is currently locked out, please contact an administrator"
    in that I only get this message when I have entered a valid User ID &
    Password for an account that is locked out - seems to facilitate harvesting
    as well.

    If anyone could provide me with some ideas/strategies, etc. on how to
    implement this securely I would greatly appreciate it!

    - Sue

    _______________________________________________
    Join Excite! - http://www.excite.com
    The most personalized portal on the Web!

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much junk never even
    makes it in the door. Free 30-day trial:
    http://www.securityfocus.com/SurfControl-pen-test

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.securityfocus.com/SurfControl-pen-test


  • Next message: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"

    Relevant Pages

    • Re: Strange SPAM
      ... If the account is for communication only with a select few, ... If the e-mail client lets you search within the body of e-mails, ... It's a spam issue. ... The bounce feature in any e-mail client is stupid and irresponsible ...
      (alt.computer.security)
    • Re: SPAM
      ... Munge your e-mail address. ... That way, the spammer's mail server can't even begin to send their crap because there will be no receiving mail host by that name to which they can connect. ... There are some NSPs that require you use the same e-mail address as is recorded in your registration to use their service, so you're screwed with those NSPs that are forcing you to deliberately divulge a valid e-mail address (and why you might try using an alias or disposable account to register with that NSP). ... You would define a filter that looks for a special string (or passcode) in the Subject of any e-mail delivered to that account: if that string is *not* in the Subject header then the e-mail gets deleted. ...
      (microsoft.public.outlook)
    • Re: Creating False Email Address-Spam
      ... that method will work in OE as well as in Entourage. ... Please "Reply To Newsgroup" to reply to this message. ... Make it a POP account (even if you ... > recommend putting your real email address (masked with NO SPAM or, better, ...
      (microsoft.public.mac.office.word)
    • Re: Anti-spam efforts
      ... Google Groups accounts used to post spam: ... other newsgroups servers to cancel them, ... have a gmail account or a Google Groups account. ... They seem to be raising the number of spam posts you need ...
      (alt.support.diabetes)
    • News Flash: C&S to publish book
      ... The best way to do it is to perform a spam. ... write a script that posts your message to every newsgroup. ... Get an account with some other internet account providers. ... Unleash the posting program. ...
      (rec.humor.funny.reruns)