WebApp Sec mailing list archives
Re: concurrent logins
From: Arvind <arvind.doraiswamy () gmail com>
Date: Wed, 19 Nov 2014 09:32:27 -0500
I think the best way to do this is to take a quick step back and look at the risks in each. That's because there's no 1 right answer here as you already mentioned. TLDR 1 - There's really only 2 options - you allow it or you dont. Allowing means anyone can login (more ease of use) and disallowing is safer but they cant login (less ease of use). Both have risks as outlined below. Depends on a lot of things. 1) Allowed everywhere - Any session, stolen by anyone can be misused anytime from anywhere. 2) Allowed but notifies the user where she is logged in - Same as 1) except that it alerts the user that they have logged in elsewhere. The same risks remain though, if the user ignores the message. 3) Dont allow, kick out logged in user - This is dangerous IMO, as if its an admin session that's hijacked, an attacker could get in - disable all admin accounts and DOS a lot of things while he makes merry. 4) Don't allow, lock all out - Same as above...except the risk is reduced if you also invalidate the session ID used just then and lock everyone out. DOS risks still remain, just like 3... just a bit lesser. 5) Same risks as 1) and 2) Isn't this pretty similar to 2)? Is it just a different, more...in your face display that you're advocating here? 6) Same risks as 1) and 2) AND will be ignored :)...sorry couldn't resist that. TLDR - Its very very dependent on who your user base is, where you see logins from, whether business wants users to go right in, specially with the advent of mobile devices as well. So I'd go with 5) and periodically say, once a day maybe...remind the user that they have active sessions....like Gmail does to prompt you to add a secondary mobile phone once in a way. Arvind This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Irene Abezgauz (Nov 19)
- RE: concurrent logins Nigel Ball (Nov 21)
- AW: concurrent logins Wolfgang Abbas (Nov 21)
- RE: concurrent logins Nigel Ball (Nov 21)
- Re: concurrent logins DavidMeans833 () air-watch com (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Irene Abezgauz (Nov 19)
- Re: concurrent logins Arvind (Nov 19)
- Re: concurrent logins Seth Art (Nov 19)
- Re: concurrent logins Matt Konda (Nov 19)
- Re: concurrent logins James Wright (Nov 19)
- RE: concurrent logins Zaakiy Siddiqui (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- <Possible follow-ups>
- RE: concurrent logins Martin O'Neal (Nov 19)
- Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Stephen de Vries (Nov 24)