Re: improvements in session management?

Michael Ströder wrote:
> WebAppSecurity [Technicalinfo.net] wrote:
>
>> 1. Only allow any user to have a single active connection to the web
>> application. (simultaneous logins result in slosure of all sessions).
>
> Great opportunity for DoS attacks. ;-)

After being asked off list:

Sorry, maybe I got the original poster wrong.

My first thought was if someone manages to grab the session ID he/she can
logout the valid user immediately by trying to access the web application
with this session ID.

But after rethinking maybe the original poster thought about a second login
with a *valid* authentication. This would not be vulnerable to DoS attack.
Well, still I'd assume it's bad advice to close all sessions. A better
approach would be to refuse the second login.

Ciao, Michael.
Received on Apr 01 2004