Ahhh, that is quite frustrating! I see this a quite a big usability improvement at virtually no cost to security; would an optional parameter like auth.login(return_specific_error=True) still fail security checks for owasp?
If this isn't possible at a web2py framework level, I'd like to know how do-able or advisable it would be to implement my own login method, where everything would virtually be the same as auth.login(), but it would return specific error messages. On Friday, September 12, 2014 2:43:35 PM UTC-7, Derek wrote: > > You and I understand that, but that doesn't make it any more valid to > return more specific login error related information. > > https://www.owasp.org/index.php/Authentication_Cheat_Sheet#User_IDs > > If we want to pass security checks for 'owasp' then we have to have > generic messages for login failures. Boneheaded as it may be, it's what > people expect secure software to do. > > On Thursday, September 11, 2014 1:49:36 PM UTC-7, Mark Li wrote: >> >> Looking through the source for auth.login(), it seems that the same >> "invalid login" error is given no matter what the particular error is >> (either username/email, or the password is wrong). >> >> I wanted to know if it is possible to return a more specific error msg >> after a failed login. If I use username and password as my login inputs, >> then I want to know the cause of a failed login: >> 1. Is the username in the database? >> 2. Is the password correct for that username? >> >> MailChimp did a brief write-up about this: >> http://blog.mailchimp.com/social-login-buttons-arent-worth-it/, where >> giving users a specific error msg had a very big impact on reducing login >> failure rates. They also addressed the security issue of being vague for >> login failure errors; it was determined to be a false risk. You can find >> out whether or not a username is taken through the registration form >> anyway, so providing a specific error msg on the login page does not tell >> you any more information than the registration page. >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
