RE: Concurrent Sessions and User Feedback

From: Rob Shein (shoten@starpower.net)
Date: Sun Apr 06 2003 - 17:55:03 EDT


I would say that it would be best only to offer either message if the
login/password combination were correct. While it does to some extent
assist someone who is brute-forcing an account, it would only work if they
already got the correct account...and from what I'm gathering, the system
locks out accounts that suffer too many failed attempts.

-----Original Message-----
From: Susan Olson [mailto:olson.susan@excite.com]
Sent: Saturday, April 05, 2003 2:33 PM
To: pen-test@securityfocus.com
Subject: Concurrent Sessions and User Feedback

I'm looking for words of wisdom/advice/ideas on how to handle this from a
security/"best practices" perspective.

Basically, I am evaluating a web application that disallows concurrent
sessions; it only allows for one unique logon session to occur at the same
time using just one username/password combination.

My question.what is the best way to handle "feedback" for users attempting
to access an account that is already logged-on? Currently, users get a
message stating that the account that they are attempting to use is already
logged-on. I am not comfortable with this because it lends to the possible
harvesting of valid UserIDs & Passwords by an "evil doer." Also, I have a
similar issue with the "feedback" given to users when an account is locked
out."Your account is currently locked out, please contact an administrator"
in that I only get this message when I have entered a valid User ID &
Password for an account that is locked out - seems to facilitate harvesting
as well.

If anyone could provide me with some ideas/strategies, etc. on how to
implement this securely I would greatly appreciate it!

- Sue

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much junk never even
makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT