WebApp Sec: Re: improvements in session management?

[dd <dd () ghettohackers net>]

> My first thought was if someone manages to grab the session ID he/she 
> can logout the valid user immediately by trying to access the web 
> application with this session ID.
> But after rethinking maybe the original poster thought about a second 
> login with a *valid* authentication. This would not be vulnerable to DoS 
> attack. Well, still I'd assume it's bad advice to close all sessions. A 
> better approach would be to refuse the second login.
Refusing the second login would cause the dos attack.  If I hijack your 
session and have a bot "sit on it" you will never beable to log in again.
By closing any secondary sessions on a valid login you provide a way for 
a user to stop an inprogress hijacking.  The only problems with this 
occur if you expect multiple logins at once, or the users creds are 
stolen (which is a problem larger then session hijacking and dos issues).
dd