WebApp Sec mailing list archives
Re: concurrent logins
From: Robin Wood <robin@digi.ninja>
Date: Fri, 21 Nov 2014 12:25:59 +0000
On 19 November 2014 15:42, Paul Robinson <paul () iconoplex co uk> wrote:
On 19 November 2014 10:30, Robin Wood <robin@digi.ninja> wrote:What are peoples opinions on allowing concurrent logins to web apps? I suppose it depends on what the app is used for - forum, admin suite etc - but do the protections from it add more problems that allowing it?For consumer applications, having multiple long-lasting sessions per customer is the norm because that is consumer expectation (as set by Facebook, Twitter, et al).2. Allow concurrent logins but report that someone else is logged it - like Gmail doesI'm a frequent Google apps for domains user, but don't recall ever seeing that.
If you are on the web app, look in bottom right, it tells you where else the account is being used. I've also heard of alerts popups or emails about logins from odd locations but I've not seen those personally. Robin
3. Don't allow them and kick out any logged in user when a new one logs inThat creates terrible issues in the modern World where a user might want a long-lasting session on their home PC, work PC, smartphone and tablet.5. Give a warning popup when logging in to say the account is in use elsewhere as wellThis can lead to confusion. People who forget that their iPad is logged in (or unaware) and who aren't technically sophisticated can easily be misled by this and I can see panicked phone calls to younger members of families for many applications.What other options are there? Can it be done in a good way that makes if of any use?The market is tending towards 2FA with multiple concurrent sessions that last for long periods (weeks or even months), and the consumer having the ability to destroy all those other sessions.
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- AW: concurrent logins, (continued)
- AW: concurrent logins Wolfgang Abbas (Nov 21)
- Re: concurrent logins DavidMeans833 () air-watch com (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Arvind (Nov 19)
- Re: concurrent logins Seth Art (Nov 19)
- Re: concurrent logins Matt Konda (Nov 19)
- Re: concurrent logins James Wright (Nov 19)
- RE: concurrent logins Zaakiy Siddiqui (Nov 19)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- Message not available
- Re: concurrent logins Robin Wood (Nov 21)
- RE: concurrent logins Martin O'Neal (Nov 19)
- Re: concurrent logins Robin Wood (Nov 19)
- Re: concurrent logins Stephen de Vries (Nov 24)
- Re: concurrent logins Robin Wood (Nov 24)