WebApp Sec mailing list archives
Re: concurrent logins
From: Robin Wood <robin@digi.ninja>
Date: Wed, 19 Nov 2014 13:53:43 +0000
Hi In theory I like the idea of reporting to the user that the account is already in use but just think in practice it will be like the broken SSL cert warning, people just click through it. Maybe not as much in corporate environments but for home users you'd have to come up with some very good copy to go in the popup so they understood it. Some way to audit it and a good way to detect anomalies would be good, I've not looked but wonder if there are any good libraries available for it as I doubt most companies will have the development time or skill to create something that does it well. Feels like another case of real world vs ideal world. The reason I was asking is a report template I'm using highlights it as an issue but I would only likely mention it for a mission critical app where they already have plenty of other protections in place and this would add a nice extra. Robin On 19 November 2014 13:32, Martin O'Neal <martin.oneal () corsaire com> wrote:
For us, this is mostly about context. For all sites, some mechanism to report multiple logins back to the user is important for transparency, as is an audit trail entry. But actually enforcing a single login is only really relevant to applications containing sensitive data. Martin... ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, Head office: Unit 2 Grosvenor Court, Hipley Street, Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700. Registered in England No. 3338312. Registered office: Communication House, Victoria Avenue, Camberley, Surrey GU15 3HX
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Re: concurrent logins, (continued)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Re: concurrent logins Arvind (Nov 19)
- Re: concurrent logins Seth Art (Nov 19)
- Re: concurrent logins Matt Konda (Nov 19)
- Re: concurrent logins James Wright (Nov 19)
- RE: concurrent logins Zaakiy Siddiqui (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- RE: concurrent logins Martin O'Neal (Nov 19)
- Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Stephen de Vries (Nov 24)
- Re: concurrent logins Robin Wood (Nov 24)