• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: login security issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: login security issue


  • Subject: Re: login security issue
  • From: " Kuon - Nicolas Goy (Goyman.com SA) - 時期精霊 " <email@hidden>
  • Date: Fri, 14 Jul 2006 17:37:16 +0200

Hello guys,

I found the question interesting, and as I love to feel important:P I wrote a few lines.

Firstly, all our sessions are created only upon successful login. (the login page use a normal static form, with a direct action for the login)

Then, for the problem described, theoricaly speaking, there is no "secure" way of doing it, as the user will always have to send the info via the webbrowser.

But I think your question will remain in the "normal users" security, I mean people just hitting the back button and not knowing how to view browser cache and so on.

For this, we use a simple javascript code which does the following:
- Open a new window.
- Close login window.
- Clear last history entry.

Now, if you want a truely secure login, there is only 1 way I know, the third security credential. (RSA secure ID, phone call or simply a list of numbers on a paper, in sync with the server)

At last, you can also put some transparent security check like:
- If reloging after a logout (less than 1h from same ip), you ask a second time for password.
- Do not allow 2 session with same username.
- Do not allow 2 session with same ip.
- Ask for password on sensitive tasks. (like deleting a file, deleting bunch of info, stoping the nuclear factory...:P )
- Put a javascript timer on page, this timer will call logout after x seconds.


Those are just some ideas, then you should do what meet your needs.

Regards
--
Kuon
CEO - Goyman.com SA
http://www.goyman.com/

"Computers should not stop working when the users' brain do."



Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >Re: login security issue (From: Thomas Pelaia II <email@hidden>)

  • Prev by Date: Re: WO and Memory Management
  • Next by Date: Re: WO and Memory Management
  • Previous by thread: Re: login security issue
  • Next by thread: java client launch error
  • Index(es):
    • Date
    • Thread