I'm involved in the development of a SaaS application. We host the application for different customers. A customer is a company. Each customer gets access to their hosted instance of the application via a URL http://ift.tt/1BoPgQF.
We already got one instance where a customer tried different other companies (potentially competitors) for the customername in order to see if someone else is using our product as well. I personally don't think this is too much of an issue but I recognize that it could both be a problem for some potential customers as well as a security issue so I'm interested in mitigation strategies.
Possible solutions so far are
- Add an unguessable string to the
customername:http://ift.tt/1LdEGMj. I think this a) looks ugly (and yes, we already got a customer who insisted on a particular spelling in the URL for CI reasons) and b) absolutely requires all users to have a bookmark or remember one more mostly irrelevant thing. - Just show a login form regardless of what's used as the
customernameand just reject any user/password combination. This looks promising at first but already we are implementing different login mechanisms including password-less login via SSO so customers will get different login screens. This also prevents a version of a login screen where the customer name becomes part of the user/password form. I'm sure sooner or later the login screen will have to match a customer's CI as well.
Is it even possible to mitigate this problem in a user-friendly way?
Aucun commentaire:
Enregistrer un commentaire