4

Google, Yahoo, Facebook and several banks have a session summary screen that lists a variety of information, but they aren't consistent in what is offered to the end user. e.g.

  • Facebook offers a concise "active session" list, and enough information to determine if that session should be terminated.

  • Chase bank, for example, lists how many transactions have been issued in the current session, while there is a larger (and overwhelming) set of options in Google.

Excluding the line of business details (as in the Banking app), what session information and controls (eg terminate session) should be included on a session summary?

Edit: The thought is that providing too much information in a session summary could be used by a malicious person or script accessing that page. e.g. an account could be hijacked, the password changed and all legitimate sessions terminated.

Other social engineering, or PII disclosure may also be possible depending on the type of attack.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

2 Answers2

1

If the link is not secure, nothing at all should be shown.

The rest of the post assumes a secure link. The following is relevant:

  • if other concurrent logins exist, or failed login attempts, very important, show as much details as possible so that the person can identify himself;
  • last monetary on-line transaction;
  • last monetary off-line transaction;
  • details of current login and timeout;
  • fraud numbers and links;
  • verification that the site is authentic or a method to confirm.

Basic information about security related matters in a link.

I think PayPal is a good start.

skvery
  • 131
  • 5
0

I would think that the bare minimum would be any sessions that are currently logged in with the current username. I find that anything else would be a distraction, I like the approach facebook takes and allows you to both see your current session and the ability to end that session.

If there is a requirement to display more information then display the sessions list with links to provide more detail, otherwise don't bother.

PseudoNym01
  • 101
  • 3