Hosting Provided By

Concurrent Sessions and User Feedback

From: Susan Olson <olson.susan(at)excite.com>
Date: Sat Apr 05 2003 - 14:11:32 EST

I’m looking for words of wisdom/advice/ideas on how to handle this from a security/“best practices” perspective.

Basically, I am evaluating a web application that disallows concurrent sessions; it only allows for one unique logon session to occur at the same time using just one username/password combination.

My question…what is the best way to handle “feedback” for users attempting to access an account that is already logged-on? Currently, users get a message stating that the account that they are attempting to use is already logged-on. I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by an “evil doer.” Also, I have a similar issue with the “feedback” given to users when an account is locked out…”Your account is currently locked out, please contact an administrator” in that I only get this message when I have entered a valid User ID & Password for an account that is locked out – seems to facilitate harvesting as well.

If anyone could provide me with some ideas/strategies, etc. on how to implement this securely I would greatly appreciate it!

Join Excite! - http://www.excite.com
The most personalized portal on the Web! Received on Sat Apr 5 14:36:15 2003

This message: [ Message body ]
Next message: Gabriel Lawrence: "Re: Concurrent Sessions and User Feedback"
Previous message: David Rhoades: "web app security in Alexandria, VA (USA) - April 21, 2003"
Next in thread: Gabriel Lawrence: "Re: Concurrent Sessions and User Feedback"
Reply: Gabriel Lawrence: "Re: Concurrent Sessions and User Feedback"
Reply: Jeremy Poteet: "Re: Concurrent Sessions and User Feedback"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:50 EDT