WebApp Sec mailing list archives

Re: concurrent logins

From: Robin Wood <robin@digi.ninja>
Date: Fri, 21 Nov 2014 12:25:59 +0000

On 19 November 2014 15:42, Paul Robinson <paul () iconoplex co uk> wrote:

On 19 November 2014 10:30, Robin Wood <robin@digi.ninja> wrote:


What are peoples opinions on allowing concurrent logins to web apps? I
suppose it depends on what the app is used for - forum, admin suite
etc - but do the protections from it add more problems that allowing
it?




For consumer applications, having multiple long-lasting sessions per
customer is the norm because that is consumer expectation (as set by
Facebook, Twitter, et al).


2. Allow concurrent logins but report that someone else is logged it -
like Gmail does




I'm a frequent Google apps for domains user, but don't recall ever seeing
that.


If you are on the web app, look in bottom right, it tells you where
else the account is being used. I've also heard of alerts popups or
emails about logins from odd locations but I've not seen those
personally.

Robin


3. Don't allow them and kick out any logged in user when a new one logs in




That creates terrible issues in the modern World where a user might want a
long-lasting session on their home PC, work PC, smartphone and tablet.


5. Give a warning popup when logging in to say the account is in use
elsewhere as well




This can lead to confusion. People who forget that their iPad is logged in
(or unaware) and who aren't technically sophisticated can easily be misled
by this and I can see panicked phone calls to younger members of families
for many applications.


What other options are there? Can it be done in a good way that makes if
of any use?




The market is tending towards 2FA with multiple concurrent sessions that
last for long periods (weeks or even months), and the consumer having the
ability to destroy all those other sessions.




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

AW: concurrent logins, (continued)
- - - AW: concurrent logins Wolfgang Abbas (Nov 21)
- Re: concurrent logins DavidMeans833 () air-watch com (Nov 19)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 19)
    - Message not available
    - Re: concurrent logins Robin Wood (Nov 21)
- Re: concurrent logins Arvind (Nov 19)
- Re: concurrent logins Seth Art (Nov 19)
- Re: concurrent logins Matt Konda (Nov 19)
- Re: concurrent logins James Wright (Nov 19)
  - RE: concurrent logins Zaakiy Siddiqui (Nov 19)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- Message not available
  - Re: concurrent logins Robin Wood (Nov 21)
- RE: concurrent logins Martin O'Neal (Nov 19)
  - Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Stephen de Vries (Nov 24)
  - Re: concurrent logins Robin Wood (Nov 24)