Allowing Simultaneous Login - Shezartech
11440
post-template-default,single,single-post,postid-11440,single-format-standard,mkd-core-1.0.2,sparks child-child-ver-1.0.0,sparks-ver-1.5,mkd-smooth-scroll,mkd-smooth-page-transitions,mkd-ajax,mkd-grid-1300,mkd-blog-installed,mkd-header-standard,mkd-sticky-header-on-scroll-down-up,mkd-default-mobile-header,mkd-sticky-up-mobile-header,mkd-dropdown-default,mkd-header-style-on-scroll,mkd-full-width-wide-menu,mkd-header-standard-in-grid-shadow-disable,wpb-js-composer js-comp-ver-6.0.3,vc_responsive

Allowing Simultaneous Login

Many web applications allow users to log in simultaneously from multiple machines. This practice is useful and convenient from the users’ perspective. In case a user is logged in from a device at his home, he can still access the webpage using some other device as long as he enters the correct credentials. Allowing multiple log-ins like this is not ideal in all the scenarios. A person with malicious intent may take undue advantage of the situation.

For example, a bank’s mobile application sends a one-time password (OTP) every time a user logs in. If a session is already running for the user, then no OTP is required to log in again, until the session terminates. A user is logged in to the bank’s portal. An attacker wants to steal money from the user. He accesses the user’s browsers and obtains the URL and other device-specific info necessary for login. Using a software tool and the gathered information, he gains access to the server.  Then, he transfers money to another account.

The solution is to disable concurrent access. A few methods to implement this are listed below:

  • Not allowing users to log in from another device unless they log out from the first one.
  • Asking users to authenticate themselves when they attempt another log in while a session is active.