tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikola Milutinovic <Nikola.Milutino...@ev.co.yu>
Subject Re: Concurrent login detection - how?
Date Wed, 15 Jun 2005 14:38:05 GMT
Andre Van Klaveren wrote:

>I mentioned this issue (killing browser problem) in a previous
>posting.  The only way to prevent this is to invalidate the original
>session also in the event that a duplicate login was detected.  I can
>see a possible DOS attack problem with this solution though.  Maybe
>you shouldn't invalidate the original session and make the user call
>helpdesk to invalidate the original session.  This would aid in the
>tracking of this event also.
>  
>

To DoS or not to DoS? I would let the session expire naturally, let the 
SessionListener cleanup and logout the user and when a duplicate comes 
in tell them what is the case. If they need access *now*, they can call 
the help desk.

>Using IP addresses is usually not a good way to detect duplicate
>logins.  I guess this would work in a controlled environment
>(intranet) where you can guarantee that the user(s) aren't behind a
>proxy server.  It's definetly not an option for a public site.
>  
>

True.

Nix.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message