WebApp Sec mailing list archives

Re: concurrent logins

From: Arvind <arvind.doraiswamy () gmail com>
Date: Wed, 19 Nov 2014 09:32:27 -0500

I think the best way to do this is to take a quick step back and look
at the risks in each. That's because there's no 1 right answer here as
you already mentioned.

TLDR 1 - There's really only 2 options - you allow it or you dont.
Allowing means anyone can login (more ease of use) and disallowing is
safer but they cant login (less ease of use). Both have risks as
outlined below. Depends on a lot of things.

1) Allowed everywhere - Any session, stolen by anyone can be misused
anytime from anywhere.

2) Allowed but notifies the user where she is logged in - Same as 1)
except that it alerts the user that they have logged in elsewhere. The
same risks remain though, if the user ignores the message.

3) Dont allow, kick out logged in user - This is dangerous IMO, as if
its an admin session that's hijacked, an attacker could get in -
disable all admin accounts and DOS a lot of things while he makes
merry.

4) Don't allow, lock all out - Same as above...except the risk is
reduced if you also invalidate the session ID used just then and lock
everyone out. DOS risks still remain, just like 3... just a bit
lesser.

5) Same risks as 1) and 2) Isn't this pretty similar to 2)? Is it just
a different, more...in your face display that you're advocating here?

6) Same risks as 1) and 2) AND will be ignored :)...sorry couldn't resist that.

TLDR - Its very very dependent on who your user base is, where you see
logins from, whether business wants users to go right in, specially
with the advent of mobile devices as well.

So I'd go with 5) and periodically say, once a day maybe...remind the
user that they have active sessions....like Gmail does to prompt you
to add a secondary mobile phone once in a way.

Arvind



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Irene Abezgauz (Nov 19)
  - RE: concurrent logins Nigel Ball (Nov 21)
    - AW: concurrent logins Wolfgang Abbas (Nov 21)
- Re: concurrent logins DavidMeans833 () air-watch com (Nov 19)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 19)
    - Message not available
    - Re: concurrent logins Robin Wood (Nov 21)
- Re: concurrent logins Arvind (Nov 19)
- Re: concurrent logins Seth Art (Nov 19)
- Re: concurrent logins Matt Konda (Nov 19)
- Re: concurrent logins James Wright (Nov 19)
  - RE: concurrent logins Zaakiy Siddiqui (Nov 19)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- <Possible follow-ups>
- RE: concurrent logins Martin O'Neal (Nov 19)
  - Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Stephen de Vries (Nov 24)

(Thread continues...)