Hi John For the session timeout, i found the setting under web, in user preferences. looks like some people had no timeout setting at all, some had 5 hours. I have logged an internal RFC to globally reset everyone’s to one hour, and also to set mid-tier webserver timeout to the same to cover all bases.
For the concurrent users, i confirmed that as long as the user does not have a fixed-license, + admin role, then they can not log in concurrently from multiple machines, so that one is closed. As for the auto-complete one, the specific comments from the pen-tester was as follows. he was not actually scanning cookies by the looks of it, more viewing the screen in front of him. he provided a screen show showing the web-browser offering the last 3 usernames used on that browser. it should be possible to stop browsers remembering a field value,. like online baking sites where no matter what the browser is set to, you can nOT remember the last value of the field from the last visit: "Web applications allows user to store the password in the browser ("remember password" function). If auto complete feature is ON and an attacker gains access to the browser cache, can easily obtain the password in clear text and list down the complete user id’s present on particular application." cheers dan _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"