Multiple Login in a single PC should not be possible
in [General]
|
From: Ashley Sheridan on 14 May 2010 10:37 On Fri, 2010-05-14 at 10:26 -0400, Bob McConnell wrote: > From: Richard Quadling > > >On 14 May 2010 14:47, Bob McConnell <rvm(a)cbord.com> wrote: > >> Actually, I believe that linking a session to a specific individual > >> without reading a biometric key with every http request is an > >> unacceptable risk. And no, I don't do any banking online. > > > > That's why my bank has supplied me with a little card reader for my > > bank card, into which I put my pin number. > > > > So they know it is me because of something I have (my card and card > > reader) and something I know (my pin number). > > > > This is pretty similar to the system we use for our online BACS > transactions. > > > > And yes, I do online banking. > > That only verifies that it was probably you that initially logged in. > There is nothing to prevent someone else from knocking you out and using > the session once you have completed that step, or hijacking it after you > are done. There are any number of ways to intercept your traffic, such > as a poisoned DNS server misdirecting your browser through a man in the > middle. > > Even without that, how long would it take someone else to 'discover' > your four digit PIN number if they wanted to? Probably less than an hour > with only 9999 possible variations. That's nowhere near safe enough for > me. > > Bob McConnell > Actually, a 4-digit pin has 10,000 combinations (0000 through 9999 inclusively) It becomes more interesting if you allow for letters as well, with case sensitivity, so the permutations would become 62^4 (52 letters & 10 numbers) Thanks, Ash http://www.ashleysheridan.co.uk
From: Fernando on 14 May 2010 10:40 Hello Jagdeep, I think that using the user table will fix your first problem of having a single user tied to a browser for the same machine or even a different machine. Once logged in that same user cannot login again. For your second issue, I do not think is possible to keep track of anything that will not allow user1 to login using Internet Explorer and then user2 to come along open Firefox and log in using the same machine as sessions are kept separately and will look different on the server. Unless you can actually use something to identify the computer as per your question of tracking MAC addresses I do not see this as being possible. But then again I'm no expert. Just my thoughts. Good Luck. On 14/05/2010 03:18, Jagdeep Singh wrote: > Hi All! > > I am looking for a solution, I want a user to do a single Login only on a PC > . > > E.g. If a User has logged on my website website.com in Internet explorer, > then he cant login on same website in another browser like Firefox etc with > same loginid or another. > > Can I trace MAC address of a single machine to solve this issue? > > Or is there a concept of GLOBAL COOKIE / Cross Browser Cookie which will > work for all browsers in a single machine.. > > I hope You will help me out > > > Regards > > Jagdeep Singh > +91 9988009272 > >
From: Richard Quadling on 14 May 2010 10:51 On 14 May 2010 15:26, Bob McConnell <rvm(a)cbord.com> wrote: > From: Richard Quadling > >>On 14 May 2010 14:47, Bob McConnell <rvm(a)cbord.com> wrote: >>> Actually, I believe that linking a session to a specific individual >>> without reading a biometric key with every http request is an >>> unacceptable risk. And no, I don't do any banking online. >> >> That's why my bank has supplied me with a little card reader for my >> bank card, into which I put my pin number. >> >> So they know it is me because of something I have (my card and card >> reader) and something I know (my pin number). >> >> This is pretty similar to the system we use for our online BACS > transactions. >> >> And yes, I do online banking. > > That only verifies that it was probably you that initially logged in. > There is nothing to prevent someone else from knocking you out and using > the session once you have completed that step, or hijacking it after you > are done. There are any number of ways to intercept your traffic, such > as a poisoned DNS server misdirecting your browser through a man in the > middle. > > Even without that, how long would it take someone else to 'discover' > your four digit PIN number if they wanted to? Probably less than an hour > with only 9999 possible variations. That's nowhere near safe enough for > me. > > Bob McConnell > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > The pin pad requires my 4 digit pin and generates an 8 digit number which is required by the bank's web site (100 million combinations and must match expectation on the server). The 8 digit number is different every time. And 3 failed logins disables the login until I go through security via the phone. And then I still have to use the same data to try again. The channel is https ONLY - you cannot login on http. I also keep my front door locked and I trust my wife and kids to not knock me out, though the way the kids play up sometimes ... DNS poisoning is certainly a possibility. The Blue Frog incident a few years ago certainly revealed a weakness in DNS servers (the operators). And you are right, essentially a man-in-the-middle is still not defendable (AFAIK). -- ----- Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling
From: tedd on 14 May 2010 12:21 At 12:48 PM +0530 5/14/10, Jagdeep Singh wrote: >Hi All! > >I am looking for a solution, I want a user to do a single Login only on a PC >. > >E.g. If a User has logged on my website website.com in Internet explorer, >then he cant login on same website in another browser like Firefox etc with >same loginid or another. > >Can I trace MAC address of a single machine to solve this issue? > >Or is there a concept of GLOBAL COOKIE / Cross Browser Cookie which will >work for all browsers in a single machine.. > >I hope You will help me out > > >Regards > >Jagdeep Singh >+91 9988009272 Jagdeep: I don't think this is solvable. You can make it such that if a person is logged-in that they cannot log-in again until they log-out of their current session -- that's do able. But using IP addresses, or trying to sniff the machine, or other such attempts at identifying user will most certainly be problematic and not solve the problem. Good luck, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com
From: Jagdeep Singh on 15 May 2010 02:20
Hi! Thanks for all the replies... But may of the solutions are not for my question. Friends! E.g. : If user1 has logged in Internet Explorer on IP adress (Say IP - A) with MAC Adress (MAC-X) Then No other user can login on that IP (IP-A) AND MAC Adress (MAC-X) on any other browser say Firefox. I can stop any user to login more than one time at two different machines.. But I am unable to stop Multiple logins on same machine (ofcourse on different Browsers) Because each browser has different SESSION and Cookie system. I hope problem is very clear now.. regards Jagdeep Singh On Fri, May 14, 2010 at 9:51 PM, tedd <tedd.sperling(a)gmail.com> wrote: > At 12:48 PM +0530 5/14/10, Jagdeep Singh wrote: > >> Hi All! >> >> I am looking for a solution, I want a user to do a single Login only on a >> PC >> . >> >> E.g. If a User has logged on my website website.com in Internet explorer, >> then he cant login on same website in another browser like Firefox etc >> with >> same loginid or another. >> >> Can I trace MAC address of a single machine to solve this issue? >> >> Or is there a concept of GLOBAL COOKIE / Cross Browser Cookie which will >> work for all browsers in a single machine.. >> >> I hope You will help me out >> >> >> Regards >> >> Jagdeep Singh >> +91 9988009272 >> > > Jagdeep: > > I don't think this is solvable. > > You can make it such that if a person is logged-in that they cannot log-in > again until they log-out of their current session -- that's do able. > > But using IP addresses, or trying to sniff the machine, or other such > attempts at identifying user will most certainly be problematic and not > solve the problem. > > Good luck, > > tedd > > -- > ------- > http://sperling.com http://ancientstones.com http://earthstones.com > |