|
Home > Archive > WebSphere Commerce suite > October 2004 > Simultaneous logins with the same profile
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Simultaneous logins with the same profile
|
|
| janardhana@lincsoftware.soft.net 2004-09-29, 8:11 pm |
| Hello all,
I am on WC 5405/ORA/WIN. Whenever I use the same profile to log into WC
from multiple location I get a error message for the second instance which
goes something like..'An invalid cookie was received for the user, your
logonId may be in use by another user'. I understand the importance of
this, but is there someway I can switch this off and allow, same user to
simultaneously login from multiple locations.
Thanks in advance,
Jana
| |
| René Kikkenborg 2004-10-05, 5:59 pm |
| Hi,
It's possible if you only use http and not https.
/René
<janardhana@lincsoftware.soft.net> wrote in message
news:cjeogs$85es$1@news.boulder.ibm.com...
Hello all,
I am on WC 5405/ORA/WIN. Whenever I use the same profile to log into WC from
multiple location I get a error message for the second instance which goes
something like..'An invalid cookie was received for the user, your logonId
may be in use by another user'. I understand the importance of this, but is
there someway I can switch this off and allow, same user to simultaneously
login from multiple locations.
Thanks in advance,
Jana
| |
| janardhana@lincsoftware.soft.net 2004-10-06, 5:57 pm |
| Rene, Thanks for response, I will remove https and check..if I can login
from multiple locations.
| |
| Jim Weiler 2004-10-19, 5:53 pm |
| In article <ck11v4$66nk$1@news.boulder.ibm.com>,
janardhana@lincsoftware.soft.net says...
> Rene, Thanks for response, I will remove https and check..if I can login
> from multiple locations.
Rene, can you explain the mechanism WCS uses to check this? I have found
on our WCS 5.4 site that the same logon id and password can be used to
login at 2 different computers, and as you said when you go to an HTTPS
page you might get a CMN1039E error. When that happens, the one that
gets the error when going to an HTTPS page, sent the
WC_AUTHENTICATION_usernumber cookie in the request, but the response has
WC_AUTHENTICATION_usernumber=DEL and WC_USERSESSION_usernumber=DEL. Do
you know what WCS is doing to determine that an HTTPS session is
invalid? The other machine with the same user was not even on a secure
page.
Thanks, Jim
| |
| Robert Brown 2004-10-19, 5:53 pm |
| > janardhana@lincsoftware.soft.net says...
>
>
> Rene, can you explain the mechanism WCS uses to check this? I have found
> on our WCS 5.4 site that the same logon id and password can be used to
> login at 2 different computers, and as you said when you go to an HTTPS
> page you might get a CMN1039E error. When that happens, the one that
> gets the error when going to an HTTPS page, sent the
> WC_AUTHENTICATION_usernumber cookie in the request, but the response has
> WC_AUTHENTICATION_usernumber=DEL and WC_USERSESSION_usernumber=DEL. Do
> you know what WCS is doing to determine that an HTTPS session is
> invalid? The other machine with the same user was not even on a secure
> page.
> Thanks, Jim
I'll throw my two cents into the fray.
WCS does not allow the same user ID to login to a WCS instance from two
different machines. I've never seen anything that states it works from
HTTP and not HTTPS. WCS has never allowed the same user to do this
going back to the Net.Commerce days.
What the system is doing is performing a security check. If you are
logged in and ordering items from machine A then it is highly likely
that your password has been compromised if someone logs in using your ID
and password from machine B. User A is given a cookie error page and
user B is allowed to continue, regardless of HTTP session state.
The database for WCS maintains the last time the person has logged in
successfully. This can be found in USERS.LASTSESSION and
USERS.PREVLASTSESSION. The WCS cookie understands this timestamp when
the cookie is established at login and when user B logs in, the value
for user A's LASTSESSION is different, indicating a compromise.
You won't be able to circumvent this system authentication control
easily. You can execute certain commands on behalf of a user if you
have administrative privileges.
Hope this helps explain some things...
R
|
|
|
|
|