cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Gallardo" <>
Subject RE: software licensing - security.
Date Mon, 03 Feb 2003 11:59:10 GMT
Nathaniel Alfred dijo:
>>-----Original Message-----
>>From: Antonio Gallardo [] Sent:
>> Montag, 3. Februar 2003 12:10
>>Subject: Re: software licensing - security.
>>I think sometimes is good to restrict the access of the users. I got a
>> recently requirement for a customer (for security reasons):
>>"The user can run oly one session into the system".
>>The idea is that if you are already loged-on a computer. You cannot run
>> another session with the same username and password. Also
>>nobody can use
>>your username and password to go into the system, because you
>>are already
>>using it.
>>Of course if the user need to move to another computer, he
>>must first logoff.
>>I know that this requeriment is unusual. But some companies
>>has this kind
>>of rules of bussiness. ;-)
>>I thinked that we can change the authentication manager to set some
>> parameters into this area. What you think?
> We also had this requirement from one of our customers.  The trouble is
> though that with HTTP the server cannot know, if the user is still at
> the other end.
> If the browser crashes ,or the user closes it without logging of, the
> server keeps the session until it times out.  If you say, the second
> login is rejected, you will need to wait for the session timeout
> (typically 20 minutes), before the user can get in again.
> (A similar scenario is, that the user went to his boss to show him
> something, but can't login there because he forgot to logout first on
> his own browser.)
Good point. This will help to sell the idea you proposed below. :-D

> Therefore, you should sell your customer at least the compromise, that
> the second login succeeds but dumps the first login.
> To implement that one only needs to loop over all existing sessions and
> expire immediately those with the same credentials.  (I have currently
> no idea, where this could be done.)

I think that we need to hack the authentication-manager component, adding
code that will check this condition and invalidating the old session.

> Cheers, Alfred.

Antonio Gallardo

To unsubscribe, e-mail:
For additional commands, email:

View raw message