On Fri, February 2, 2007 5:33 am, Satyam wrote: > In login scripts you usually don't tell which part of the login is > wrong, > otherwise, you are hinting at what is right. Once the customer is > logged > in, you are right to be as helpful as possible, but until the customer > proves who he/she is, you don't give away anything. Satyam is correct: It's more secure to not indicate when the username was incorrect differently from an incorrect password. But it's definitely also (very much) less user-friendly. For example, in seldom-used applications where the user is very likely to forget their username, such as 99% of the stupid websites that require me to register for something that needs no security in the first place, it's a royal pain in the ass. :-) You have to balance Security against Usability and make an informed intelligent decision. I also wondered why you have an ID number that somebody is supposed to remember, and an email, when either one should be sufficient for most applications, but it was easier to type out an answer than to get you to re-think your design decisions. :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
