cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Gallardo" <agalla...@agsoftware.dnsalias.com>
Subject RE: software licensing - security.
Date Mon, 03 Feb 2003 11:59:10 GMT
Nathaniel Alfred dijo:
>>-----Original Message-----
>>From: Antonio Gallardo [mailto:agallardo@agsoftware.dnsalias.com] Sent:
>> Montag, 3. Februar 2003 12:10
>>To: cocoon-dev@xml.apache.org
>>Subject: Re: software licensing - security.
>>
>
>>
>>I think sometimes is good to restrict the access of the users. I got a
>> recently requirement for a customer (for security reasons):
>>
>>"The user can run oly one session into the system".
>>
>>The idea is that if you are already loged-on a computer. You cannot run
>> another session with the same username and password. Also
>>nobody can use
>>your username and password to go into the system, because you
>>are already
>>using it.
>>
>>Of course if the user need to move to another computer, he
>>must first logoff.
>>
>>I know that this requeriment is unusual. But some companies
>>has this kind
>>of rules of bussiness. ;-)
>>
>>I thinked that we can change the authentication manager to set some
>> parameters into this area. What you think?
>>
>
> We also had this requirement from one of our customers.  The trouble is
> though that with HTTP the server cannot know, if the user is still at
> the other end.
>
> If the browser crashes ,or the user closes it without logging of, the
> server keeps the session until it times out.  If you say, the second
> login is rejected, you will need to wait for the session timeout
> (typically 20 minutes), before the user can get in again.
> (A similar scenario is, that the user went to his boss to show him
> something, but can't login there because he forgot to logout first on
> his own browser.)
>
Good point. This will help to sell the idea you proposed below. :-D

> Therefore, you should sell your customer at least the compromise, that
> the second login succeeds but dumps the first login.
>
> To implement that one only needs to loop over all existing sessions and
> expire immediately those with the same credentials.  (I have currently
> no idea, where this could be done.)

I think that we need to hack the authentication-manager component, adding
code that will check this condition and invalidating the old session.

>
> Cheers, Alfred.

Antonio Gallardo



---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message