Marcin Soltysiak wrote:
----- Original Message -----

I see you have different error messages during login for:

invalid email address

user does not exist

invalid password

It might be better to return the same message for all so the hostile hacker can't learn as much about your users.

Good point. I'd suggest

- ERR XXX Login invalid

to stdout and detailed info to syslog


Its using tcpserver, so why not to multilog. I personally try to limit as much as possible the use of syslog.


Reply via email to