Hosting Provided By

Re: Concurrent Sessions and User Feedback

From: Daniel Staal <DStaal(at)usa.net>
Date: Sun Apr 06 2003 - 20:15:17 EDT

--On Saturday, April 5, 2003 2:33 PM -0500 Susan Olson <olson.susan@excite.com> wrote:

> My questionÖwhat is the best way to handle ìfeedbackî for users
> attempting to access an account that is already logged-on?
> Currently, users get a message stating that the account that they
> are attempting to use is already logged-on. I am not comfortable
> with this because it lends to the possible harvesting of valid
> UserIDs & Passwords by an ìevil doer.î Also, I have a similar
> issue with the ìfeedbackî given to users when an account is locked

No specific suggestions besides the obvious: change the error messages so that they are all the same. (Something along the line of "This username/password combination in not valid at this time." It is true in all cases...)

The problem of course is debugging. You may want to put in error codes for debugging (though a smart attacker could figure the error codes out and then you are back where you started. Still, it would be useful *before* you deploy at least, and you could remove them at the end of a debug cycle.)

The other problem is if you have an attacker smart enough to check timing differences. If the time to decide one case is detectably different then the other that allows an avenue of opportunity. It may happen that all differences are indistinshable from network latency variations, but you would want to be sure...

Daniel T. Staal

This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law.

top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.securityfocus.com/SurfControl-pen-test Received on Sun Apr 6 22:12:27 2003

Do you need help?

This message: [ Message body ]
Next message: Anders Thulin: "Re: Concurrent Sessions and User Feedback"
Previous message: Matthew Franz: "Re: Pen-Testing VPN"
In reply to: Susan Olson: "Concurrent Sessions and User Feedback"
In reply to Chris Saulnier: "Re: Concurrent Sessions and User Feedback"
Next in thread: Anders Thulin: "Re: Concurrent Sessions and User Feedback"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:34 EDT