WebApp Sec: Concurrent Sessions and User Feedback

["Susan Olson" <olson.susan () excite com>]

I’m looking for words of wisdom/advice/ideas on how to handle this from a security/“best practices” perspective.  

Basically, I am evaluating a web application that disallows concurrent sessions; it only allows for one unique logon 
session to occur at the same time using just one username/password combination.  

My question…what is the best way to handle “feedback” for users attempting to access an account that is already 
logged-on?  Currently, users get a message stating that the account that they are attempting to use is already 
logged-on.  I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by 
an “evil doer.”  Also, I have a similar issue with the “feedback” given to users when an account is locked out…”Your 
account is currently locked out, please contact an administrator” in that I only get this message when I have entered a 
valid User ID & Password for an account that is locked out – seems to facilitate harvesting as well.  

If anyone could provide me with some ideas/strategies, etc. on how to implement this securely I would greatly 
appreciate it! 

- Sue

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!