Looking through the source for auth.login(), it seems that the same "invalid login" error is given no matter what the particular error is (either username/email, or the password is wrong).
I wanted to know if it is possible to return a more specific error msg after a failed login. If I use username and password as my login inputs, then I want to know the cause of a failed login: 1. Is the username in the database? 2. Is the password correct for that username? MailChimp did a brief write-up about this: http://blog.mailchimp.com/social-login-buttons-arent-worth-it/, where giving users a specific error msg had a very big impact on reducing login failure rates. They also addressed the security issue of being vague for login failure errors; it was determined to be a false risk. You can find out whether or not a username is taken through the registration form anyway, so providing a specific error msg on the login page does not tell you any more information than the registration page. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
