John Corry wrote:
I'm using Pear Auth on several sites and am looking for suggestions on the
best way to implement error reporting on a failed log-in.
Currently I'm using a function that checks if the posted username is in the
users table...and if the password is a match. Auth logs the user on if
so...but if not it takes manually running the queries to generate the right
failure message.
You mean if it's a valid username but not password?
I'd say don't. While it's a little nicer for your users ("hey, your
password was wrong") - it's also a lot easier for attackers. "Hmm, that
means it's a valid user, lets see if we can brute force the password".
"Username or password are incorrect" - an attacker has no idea which bit
is wrong. You could force a user to use their email address as their
username to make it easier to remember.
Depends on the app & audience I guess, if it's an internal only app - go
with #1 (no idea about Pear Auth though), if it's public, there's no way
I'd say your password is wrong, just provide a "forgot password" feature.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
