Session Management-Multiple Sessions Allowed

It is possible for a user to initiate multiple concurrent sessions using just one username/password combination. If multiple users are allowed to log in to the same account simultaneously, non-repudiation is lost. The existence of multiple sessions generated from the same set of user credentials often indicates that the credentials have been compromised.
A malicious user with valid credentials could exploit this vulnerability to cause a denial of service condition. Using a script to repeatedly log into the system, the attacker could appropriate resources for each new session until no resources are available to legitimate users.
This side effect can be eliminated by terminating the previous session during the log in process.

In PHP, Following are the example steps to remove multiple session:
1. Save session id in the Database when an user logged in.
2. Check the session id each time when a request to server is sent.
3. If session id doesn’t match then destroy the current session.

Linchpin Technologies Pvt Ltd, a mobile app development company India , is globally recognized as enterprise app development company

968 total views, 1 views today

Share this OnShare on FacebookTweet about this on TwitterShare on LinkedInShare on Google+

Leave a Reply