RE: Concurrent Sessions and User Feedback

From: Rob Shein (shotenat_private)
Date: Sun Apr 06 2003 - 14:55:03 PDT

Next message: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"

Previous message: Alex Zimin: "Top 10 vulnerabilities and open ports."
In reply to: Susan Olson: "Concurrent Sessions and User Feedback"
Next in thread: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would say that it would be best only to offer either message if the
login/password combination were correct.  While it does to some extent
assist someone who is brute-forcing an account, it would only work if they
already got the correct account...and from what I'm gathering, the system
locks out accounts that suffer too many failed attempts.

-----Original Message-----
From: Susan Olson [mailto:olson.susanat_private] 
Sent: Saturday, April 05, 2003 2:33 PM
To: pen-testat_private
Subject: Concurrent Sessions and User Feedback

I'm looking for words of wisdom/advice/ideas on how to handle this from a
security/"best practices" perspective.  

Basically, I am evaluating a web application that disallows concurrent
sessions; it only allows for one unique logon session to occur at the same
time using just one username/password combination.  

My question.what is the best way to handle "feedback" for users attempting
to access an account that is already logged-on?  Currently, users get a
message stating that the account that they are attempting to use is already
logged-on.  I am not comfortable with this because it lends to the possible
harvesting of valid UserIDs & Passwords by an "evil doer."  Also, I have a
similar issue with the "feedback" given to users when an account is locked
out."Your account is currently locked out, please contact an administrator"
in that I only get this message when I have entered a valid User ID &
Password for an account that is locked out - seems to facilitate harvesting
as well.  

If anyone could provide me with some ideas/strategies, etc. on how to
implement this securely I would greatly appreciate it! 

- Sue

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much junk never even
makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test

Next message: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"
Previous message: Alex Zimin: "Top 10 vulnerabilities and open ports."
In reply to: Susan Olson: "Concurrent Sessions and User Feedback"
Next in thread: Chris Saulnier: "Re: Concurrent Sessions and User Feedback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 06 2003 - 19:09:12 PDT