Re: login security issue
Re: login security issue
- Subject: Re: login security issue
- From: " Kuon - Nicolas Goy (Goyman.com SA) - 時期精霊 " <email@hidden>
- Date: Fri, 14 Jul 2006 17:37:16 +0200
Hello guys,
I found the question interesting, and as I love to feel important:P I
wrote a few lines.
Firstly, all our sessions are created only upon successful login.
(the login page use a normal static form, with a direct action for
the login)
Then, for the problem described, theoricaly speaking, there is no
"secure" way of doing it, as the user will always have to send the
info via the webbrowser.
But I think your question will remain in the "normal users" security,
I mean people just hitting the back button and not knowing how to
view browser cache and so on.
For this, we use a simple javascript code which does the following:
- Open a new window.
- Close login window.
- Clear last history entry.
Now, if you want a truely secure login, there is only 1 way I know,
the third security credential. (RSA secure ID, phone call or simply a
list of numbers on a paper, in sync with the server)
At last, you can also put some transparent security check like:
- If reloging after a logout (less than 1h from same ip), you ask a
second time for password.
- Do not allow 2 session with same username.
- Do not allow 2 session with same ip.
- Ask for password on sensitive tasks. (like deleting a file,
deleting bunch of info, stoping the nuclear factory...:P )
- Put a javascript timer on page, this timer will call logout after x
seconds.
Those are just some ideas, then you should do what meet your needs.
Regards
--
Kuon
CEO - Goyman.com SA
http://www.goyman.com/
"Computers should not stop working when the users' brain do."
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden