"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> writes: > A simliar question, if the log-in authentication fails, how can I tell > if the username failed or the password failed?
You don't want to give that kind of information. It leaks too much information for an attacker. If he doesn't know what failed he isn't sure he got a valid username, for example. It is common to say "bad username/password pair" instead of saying "wrong password for user XYZ" or "user XYZ doesn't exist". -- Jorge Godoy <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
