#102 ✓resolved
sabat (at area51)

Login Error Msgs Options for Security

Reported by sabat (at area51) | May 2nd, 2009 @ 01:39 PM

From an applications security perspective, it's usually better not to reveal certain information in error messages. When a user (or potentially, an attacker) has tried to log in with a bad username, you want to issue the same error message as when he has entered an incorrect password. This way, an attacker cannot use the error messages to tell whether he's found a legit login to try to exploit.

Check this out for a better write-up than I've done here:

http://www.gnucitizen.org/blog/u...

Attached to this ticket is a patch that gives Authlogic users the option to write a single error message for both error conditions (bad login, bad password). Default is normal behavior, although I did change the wording slightly.

I'm not 100% sure that I've made this feature in the cleanest way possible, but hopefully you see the need and can at least use my code as a starting point.

The patch also includes a couple of small fixes to comment grammar (typos etc.).

BTW, it goes without saying that Authlogic is excellent, and is my standard authorization module.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Attachments

Pages