Hi, On Tuesday, September 13, 2011 7:42:24 PM UTC+2, Wim Feijen wrote: > > Flavio, Jan and Florian, it only "gives away information" when an > attacker guesses both the username and the password right. >
No! Assume the admin view is the only login view in your project (since it only consists of the admin or whatever), then if the attacker guesses the correct username/password he knows that the user/password is valid (if we take your approach) and doesn't need to try other passwords since you told him he is no admin… Given the current state he never can make that assumptions and might try further with the same user. > So giving this message does not > change the danger. On the other hand, it would prevent lots of > confusion. > You assume that there is another login! Now you might say that my example is a bit obscure, but we do have some public sites with no admin which are managed by a dedicated admin instance (which has to be public [in the sense of reachable from everywhere] due to customer requests). So it does decrease security for us… I understand your point, but please don't assume that your proposed change can't leak information! Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/dWOzTQfFmgUJ. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
