Chris,
Actually, I like your approach. I just wanted to make sure noone had a false sense of security.
bill On Tuesday, March 22, 2005, at 11:25 AM, Chris Millet wrote:
This is also along the lines of "there is no absolute security". The objective, then, becomes reducing the risk of a security breach by deterring unwanted behavior and encouraging good behavior. And the more layers of protection, the less the risk of a breach. The harder it is to engage in unwanted behavior, the more unlikely it will be done.
Much of it comes down to how much you (or your client) is willing to spend for security. I'm certain you can find a more robust system than what I am suggesting. But then you may end up running into cost and/or usability issues. Many of the alternatives we considered simply cost more than what we were trying to protect, or they were so impenetrable that the end-users were not likely to use them – thereby defeating the purpose of what we were originally employed to do, which was to automate a business process.
It is also important to remember that security is as much about understanding behavior as it is a implementing a system of prevention.
Chris
On Mar 22, 2005, at 11:58 AM, Bill Conlon wrote:
This is along the lines of "locks only keep honest people honest". There is no reason that the persistent cookie, stored in a file on the PC, can't be stolen or transferred to another system.
On Tuesday, March 22, 2005, at 09:28 AM, Chris Millet wrote:
We did this by simply using a cookie. A cookie is set during the first session, and then each subsequent session requires username, password and cookie to enter the site. The cookie restricts access not only to a single PC, but to a single browser as well.
The important thing is to notify the users about the restricted access ahead of time and give instructions on what to do if a problem occurs. When a problem does occur, the users simply sends a request to reset their account. This provides a way to monitor potential suspicious activity. So far it has worked very well, and only a couple of resets are required a month for a base of about 1,000 users.
Chris
On Mar 22, 2005, at 10:50 AM, Mark Weiss wrote:
Hi,
I am about to deploy a system for B 2 B ordering. Does anyone know of a way,
to set up user accounts from the customers desktop and capture some unique
identifier from his PC so that in the future, if someone tried to log in
using their username/password from another desktop, it would not work?
I don't mean to be too paranoid. Just wanting to lock things down as much as
is possible to protect us and protect the customer's information.
Running Witango on OSX Panther Server, 10.3.8. Witango 5.5. Apache 1.3.
( And thanks to Robert Garcia, we have not experienced a single crash at
this point after 2 months. Not a high volume site though, but so far fast
and reliable. We have a date handling anomaly that I think is a witango
issue, but other than that life is good. )
Mark Weiss
____________________________________________________________________ ____
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_____________________________________________________________________ ___
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
______________________________________________________________________ __
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_______________________________________________________________________ _
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
