Allowing Simultaneous Login
Many web applications allow users to log in simultaneously from multiple machines. This practice is useful and convenient from the users’ perspective. In case a user is logged in from a device at his home, he can still access the webpage using some other device as long as he enters the correct credentials. Allowing multiple log-ins like this is not ideal in all the scenarios. A person with malicious intent may take undue advantage of the situation.
For example, a bank’s mobile application sends a one-time password (OTP) every time a user logs in. If a session is already running for the user, then no OTP is required to log in again, until the session terminates. A user is logged in to the bank’s portal. An attacker wants to steal money from the user. He accesses the user’s browsers and obtains the URL and other device-specific info necessary for login. Using a software tool and the gathered information, he gains access to the server. Then, he transfers money to another account.
The solution is to disable concurrent access. A few methods to implement this are listed below:
- Not allowing users to log in from another device unless they log out from the first one.
- Asking users to authenticate themselves when they attempt another log in while a session is active.