Hi John
For the session timeout, i found the setting under web, in user preferences.
looks like some people had no timeout setting at all, some had 5 hours. I have
logged an internal RFC to globally reset everyone’s to one hour, and also to
set mid-tier webserver timeout to the same to cover all bases.
For the concurrent users, i confirmed that as long as the user does not have a
fixed-license, + admin role, then they can not log in concurrently from
multiple machines, so that one is closed.
As for the auto-complete one, the specific comments from the pen-tester was as
follows. he was not actually scanning cookies by the looks of it, more viewing
the screen in front of him. he provided a screen show showing the web-browser
offering the last 3 usernames used on that browser. it should be possible to
stop browsers remembering a field value,. like online baking sites where no
matter what the browser is set to, you can nOT remember the last value of the
field from the last visit:
"Web applications allows user to store the password in the browser ("remember
password"
function). If auto complete feature is ON and an attacker gains access to the
browser cache,
can easily obtain the password in clear text and list down the complete user
id’s present on
particular application."
cheers
dan
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
