[PHP] pear:Auth invalid username/password

[John Corry]

I'm using Pear Auth on several sites and am looking for suggestions on the
best way to implement error reporting on a failed log-in.

Currently I'm using a function that checks if the posted username is in the
users table...and if the password is a match. Auth logs the user on if
so...but if not it takes manually running the queries to generate the right
failure message.

Is there a cleaner way using error messages generated by the getAuth()
method or another method in the Auth class? I didn't see anything in the
docs...but it seems like an obvious bit of functionailty I would sort of
expect it to be included.

Anyone know of such a thing?

John Corry

Re: [PHP] pear:Auth invalid username/password

[Chris]

John Corry wrote:

I'm using Pear Auth on several sites and am looking for suggestions on the
best way to implement error reporting on a failed log-in.

Currently I'm using a function that checks if the posted username is in the
users table...and if the password is a match. Auth logs the user on if
so...but if not it takes manually running the queries to generate the right
failure message.


You mean if it's a valid username but not password?

I'd say don't. While it's a little nicer for your users (hey, your 
password was wrong) - it's also a lot easier for attackers. Hmm, that 
means it's a valid user, lets see if we can brute force the password.


Username or password are incorrect - an attacker has no idea which bit 
is wrong. You could force a user to use their email address as their 
username to make it easier to remember.


Depends on the app  audience I guess, if it's an internal only app - go 
with #1 (no idea about Pear Auth though), if it's public, there's no way 
I'd say your password is wrong, just provide a forgot password feature.


--
Postgresql  php tutorials
http://www.designmagick.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php