I'm new here, and also inexperienced, so I'm not sure how good these ideas would be in practice. If this is for a application where only certain people will have accounts, not a public app where anyone can sign up, then you could do the following: If it's a successful login, but the account is locked-out, currently logged in or if the username and password don't exist, give an error saying please check your company email, a message has been delivered to you. In which it will detail the problem with their account, if the account actually existed. If it is a public application then you could just give an un-helpful message like there was an error logging in, please contact the admin if you believe this login should of worked. Chris Saulnier http://paladindesign.net ----- Original Message ----- From: "Susan Olson" <olson.susanat_private> To: <pen-testat_private> Sent: Saturday, April 05, 2003 4:33 PM Subject: Concurrent Sessions and User Feedback > > I'm looking for words of wisdom/advice/ideas on how to handle this from a security/"best practices" perspective. > > Basically, I am evaluating a web application that disallows concurrent sessions; it only allows for one unique logon session to occur at the same time using just one username/password combination. > > My question.what is the best way to handle "feedback" for users attempting to access an account that is already logged-on? Currently, users get a message stating that the account that they are attempting to use is already logged-on. I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by an "evil doer." Also, I have a similar issue with the "feedback" given to users when an account is locked out."Your account is currently locked out, please contact an administrator" in that I only get this message when I have entered a valid User ID & Password for an account that is locked out - seems to facilitate harvesting as well. > > If anyone could provide me with some ideas/strategies, etc. on how to implement this securely I would greatly appreciate it! > > - Sue > > > > > _______________________________________________ > Join Excite! - http://www.excite.com > The most personalized portal on the Web! > > top spam and e-mail risk at the gateway. > SurfControl E-mail Filter puts the brakes on spam & viruses > and gives you the reports to prove it. See exactly how much > junk never even makes it in the door. Free 30-day trial: > http://www.securityfocus.com/SurfControl-pen-test > top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.securityfocus.com/SurfControl-pen-test
This archive was generated by hypermail 2b30 : Sun Apr 06 2003 - 19:09:22 PDT