Clarity

 View Only
  • 1.  Concurrent Sessions

    Posted Nov 08, 2010 11:57 AM
    Hi All!

    I'm new to Clarity so I'm not sure if this is possible. My install went through a security audit for a government agency. One of their findings revealed that a user could log in to Clarity concurrently. Is there a way to disable sessions when another session is opened?

    Thanks!


  • 2.  RE: Concurrent Sessions

    Posted Nov 08, 2010 03:58 PM
    I don't think there is any configuration setting that would allow to do that.
    But are you experiencing that when a user logs in and starts a new session that it is possible to access the system with the old session?
    I don't think that is possible.

    When the user logs out that session is not accessible any more.
    The pages may remain in the browser cache and can be retrieved with no changes and no connection to the system.
    Any change or refresh will force the log in screen to appear.

    Your problem is not for the normal users just for hackers and they might have easier options.

    Martti K.


  • 3.  RE: Concurrent Sessions

    Posted Nov 10, 2010 10:50 AM
    I guess users opening different Clarity screens in different tabs on the same browser imstance does not count, does it?


  • 4.  RE: Concurrent Sessions

    Posted Nov 10, 2010 02:40 PM
    I've got session and session count portlets.
    When I open a new blank tab in FF and go to Clarity login URL I get to the Overview page without logging in again and the session count does not go up.
    Neither does it go up when paste the URL of another Clarity page on the address line of the new blank tab.

    Martti K.


  • 5.  RE: Concurrent Sessions

    Posted Nov 14, 2010 03:45 PM
    Hi.

    We had the exact same thing happen -- a customer ran a security audit and flagged the ability to do parallel sessions for the same user without any warning or notification as a potential security issue.

    We ended up filing an ERQ for this, to add configuration properties to the product giving me the ability to either prevent this from happening, or getting a notification to the first session, something along the lines of "a parallel session for this user has just been opened on a different machine".

    This would, I'm pretty sure, involve a major change in the session management (plus a few details such as how would you expect the MSP / OpenWorkbench integrations to react, since they also log in concurrently and I wouldn't want to interfere with that!). So I'm therefore not really confident that a solution for the ERQ would be forthcoming in the near future. I can't give you a current status update on the ERQ - I'd assume it's working its way along the normal queue.

    Daniel

    P.S. The only "hack" workaround I could think of is to monitor the session table in the database for duplicate sessions for the same user and, if you detect one, simply delete or expire the oldest (or newest) session. That would probably be a non-supported customization, though, and might get you into other problems. So I can't really recommend it.