At this juncture, we wanted human intervention for a several reasons:
- it allowed our client to closely monitor any potential suspicious activity
- it sends a message to the user that a human being, not a machine, is cognizant of any security issues/changes
- it provides a quick way to work out routine user-mediated errors regarding access – such as someone routinely clearing all their cookies, etc.
The process is as follows:
- our client appoints an admin to oversee user security issues, including resetting accounts.
- a user experiences access problems on login page
- an error message notifies user of login problem and posts a reminder of access requirements including "must login using the same browser on the same PC as original setup"
- error page provides a mechanism for user to request assistance for accessing the site
- The admin goes to a private page to reset the appropriate account(s)
We weren't sure how this would work with all the paranoia about concerning internet security and users routinely "cleaning out" their browsers. But so far, access problems have been, by far, the exception not the rule. I think awareness and good communication have had as much to do with the success as anything else.
Chris
On Mar 22, 2005, at 11:34 AM, Mark Weiss wrote:
Chris,
Makes sense to me. What would be the "reset" process?
Make a reset page available "unique" to them, have them reenter their username/password and then reset the cookie?
Thanks again.
Mark
On 3/22/05 9:28 AM, "Chris Millet" <[EMAIL PROTECTED]> wrote:
We did this by simply using a cookie. A cookie is set during the first
session, and then each subsequent session requires username, password
and cookie to enter the site. The cookie restricts access not only to a
single PC, but to a single browser as well.
The important thing is to notify the users about the restricted access ahead of time and give instructions on what to do if a problem occurs. When a problem does occur, the users simply sends a request to reset their account. This provides a way to monitor potential suspicious activity. So far it has worked very well, and only a couple of resets are required a month for a base of about 1,000 users.
Chris
On Mar 22, 2005, at 10:50 AM, Mark Weiss wrote:
Hi,
I am about to deploy a system for B 2 B ordering. Does anyone know of
a way,
to set up user accounts from the customers desktop and capture some
unique
identifier from his PC so that in the future, if someone tried to log
in
using their username/password from another desktop, it would not work?
I don't mean to be too paranoid. Just wanting to lock things down as much as is possible to protect us and protect the customer's information.
Running Witango on OSX Panther Server, 10.3.8. Witango 5.5. Apache 1.3.
( And thanks to Robert Garcia, we have not experienced a single crash
at
this point after 2 months. Not a high volume site though, but so far
fast
and reliable. We have a date handling anomaly that I think is a witango
issue, but other than that life is good. )
Mark Weiss
_____________________________________________________________________ __
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
______________________________________________________________________ __
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_______________________________________________________________________ _
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
