1

I think it is OK not to terminate existing sessions if user is locked out due to a number of login attempts with the wrong password. Because it might be an attack and it would be inconvenient to terminate the existing session each time this happens.

But what about the password change process? Entering the old password wrong will increment the lockout counter but should I terminate the session when the treshold is exceeded? (Or if it is exceeded already?)

And I am not returning the locked out status in case of failed login attempts due to security concerns. Should I return this status to the user in case of password changing attempt?

Improve this question

1 Answer 1

Reset to default
2

Usually account lockouts doesn't terminate a session, otherwise that could be a potential DOS scenario. For changing passwords, most of the companies that I've worked with, we also didn't terminate the session, but we had a SIEM and SOC in place that would contact the user via phone when that happens. If you have mitigations in place (such as a SIEM/SOC monitoring login attempts, or any kind of user behaviour analysis), I would say that the risk of not implementing session termination on account lockout would be low.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.