Restrict Concurrent Logins

Idea created by russell.pope on Oct 31, 2014
    Not planned
    Score36

    During IT health checks and pen tests that we commission for some of our higher security implementations of CA SDM 12.5 we often get the following issue raised.

     

    Description:

    The application did not prevent a particular user from logging in multiple times creating multiple sessions,

    potentially from different IP addresses.

    Permitting a user to login multiple times may create concurrency faults, created when a particular set of data

    is updated simultaneously or at least almost synchronously by separate requests from alternative sessions.

    This could generate inconsistencies or exceptions, depending upon the nature of the data being modified and

    give cause to user confusion. In addition, failure to prevent concurrent logins may permit a potentially

    compromised account to go unnoticed as ‘illegitimate’ and ‘legitimate’ usage could occur at the same time.

    Recommendation:

    User accounts within the application should only be permitted to use one session at a time. The session

    management system currently in place seems to prevent the identification and/or exclusion of multiple

    sessions. It is therefore recommended that session concurrency settings be implemented.

     

    I understand that restricting concurrent logins in web applications can be problematic - especially for support teams where users can lose a session by abnormal shutdown of the browser and then maybe unable to login again until the session times out. However I propose that CA SDM is enhanced to popup a message to the end user if they try to login to a second session. The popup should advise that the userid is already logged in on a session and ask if they would like to continue and that continuing to login would mean that the previous session would be logged off. If the user accepts the prompt and asks to continue then the other session for the user id should be ended and the new login session created.

     

    If the user does not accept the prompt then they should be returned to the login screen without creating a new session.

     

    If someone tries to use a session that has been ended in this way then they should be prompted with a session ended message / prompt and sent back to the login screen without creating a new session.

     

    This idea would provide a useful security enhancement to the application which would go some way to keeping our security accreditors happy.