Re: Concurrent Sessions and User Feedback

[Gabriel Lawrence <gabe () landq org>]

The way we handle this in some of our applications is the following:

1. If they successfully log in with a valid password and username then 
the message should allow them to kill off the other session. If the 
uname or password isn't valid see the next entry.

2. If the account is locked out, invalid, suspended, or non-existant you 
should give basically the same message. Something along the lines of 
"login is invalid, if you are having trouble please contact support at ...."

Hope this helps,
-gabe

Susan Olson wrote:

> I'm looking for words of wisdom/advice/ideas on how to handle this from a security/"best practices" perspective.  
>
> Basically, I am evaluating a web application that disallows concurrent sessions; it only allows for one unique logon session to occur at the same time using just one username/password combination.  
>
> My question...what is the best way to handle "feedback" for users attempting to access an account that is already logged-on?  Currently, users get a message stating that the account that they are attempting to use is already logged-on.  I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by an "evil doer."  Also, I have a similar issue with the "feedback" given to users when an account is locked out..."Your account is currently locked out, please contact an administrator" in that I only get this message when I have entered a valid User ID & Password for an account that is locked out - seems to facilitate harvesting as well.  
>
> If anyone could provide me with some ideas/strategies, etc. on how to implement this securely I would greatly appreciate it! 
>
> - Sue
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!