Nathaniel Alfred dijo: >>-----Original Message----- >>From: Antonio Gallardo [mailto:[EMAIL PROTECTED]] Sent: >> Montag, 3. Februar 2003 12:10 >>To: [EMAIL PROTECTED] >>Subject: Re: software licensing - security. >> > >> >>I think sometimes is good to restrict the access of the users. I got a >> recently requirement for a customer (for security reasons): >> >>"The user can run oly one session into the system". >> >>The idea is that if you are already loged-on a computer. You cannot run >> another session with the same username and password. Also >>nobody can use >>your username and password to go into the system, because you >>are already >>using it. >> >>Of course if the user need to move to another computer, he >>must first logoff. >> >>I know that this requeriment is unusual. But some companies >>has this kind >>of rules of bussiness. ;-) >> >>I thinked that we can change the authentication manager to set some >> parameters into this area. What you think? >> > > We also had this requirement from one of our customers. The trouble is > though that with HTTP the server cannot know, if the user is still at > the other end. > > If the browser crashes ,or the user closes it without logging of, the > server keeps the session until it times out. If you say, the second > login is rejected, you will need to wait for the session timeout > (typically 20 minutes), before the user can get in again. > (A similar scenario is, that the user went to his boss to show him > something, but can't login there because he forgot to logout first on > his own browser.) > Good point. This will help to sell the idea you proposed below. :-D
> Therefore, you should sell your customer at least the compromise, that > the second login succeeds but dumps the first login. > > To implement that one only needs to loop over all existing sessions and > expire immediately those with the same credentials. (I have currently > no idea, where this could be done.) I think that we need to hack the authentication-manager component, adding code that will check this condition and invalidating the old session. > > Cheers, Alfred. Antonio Gallardo --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
