>-----Original Message----- >From: Antonio Gallardo [mailto:[EMAIL PROTECTED]] >Sent: Montag, 3. Februar 2003 12:10 >To: [EMAIL PROTECTED] >Subject: Re: software licensing - security. >
> >I think sometimes is good to restrict the access of the users. I got a >recently requirement for a customer (for security reasons): > >"The user can run oly one session into the system". > >The idea is that if you are already loged-on a computer. You cannot run >another session with the same username and password. Also >nobody can use >your username and password to go into the system, because you >are already >using it. > >Of course if the user need to move to another computer, he >must first logoff. > >I know that this requeriment is unusual. But some companies >has this kind >of rules of bussiness. ;-) > >I thinked that we can change the authentication manager to set some >parameters into this area. What you think? > We also had this requirement from one of our customers. The trouble is though that with HTTP the server cannot know, if the user is still at the other end. If the browser crashes ,or the user closes it without logging of, the server keeps the session until it times out. If you say, the second login is rejected, you will need to wait for the session timeout (typically 20 minutes), before the user can get in again. (A similar scenario is, that the user went to his boss to show him something, but can't login there because he forgot to logout first on his own browser.) Therefore, you should sell your customer at least the compromise, that the second login succeeds but dumps the first login. To implement that one only needs to loop over all existing sessions and expire immediately those with the same credentials. (I have currently no idea, where this could be done.) Cheers, Alfred. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
