Opened 9 years ago

Closed 9 years ago

#1908 closed defect (wontfix)

Unconfirmed users get a message saying their password is incorrect if they don't enter it correctly

Reported by: avarab@… Owned by: tom@…
Priority: trivial Milestone:
Component: website Version:
Keywords: auth Cc:

Description

  • Create a user
  • Don't confirm it with the e-mail auth
  • Try to log in with the correct user/password
  • Try to log in with the correct user/wrong password

If the user is not authenticated and someone enters the password for that user incorrectly the web UI will whine about not being able to log in with those details. That's silly, if the user is unconfirmed it should whine about that regardless of whether an incorrect password is entered.

Relevant code in the user controller:

     user = User.authenticate(:username => email_or_display_name, :password => pass)
      if user
        session[:user] = user.id
        if params[:referer]
          redirect_to params[:referer]
        else
          redirect_to :controller => 'site', :action => 'index'
        end
        return
      elsif User.authenticate(:username => email_or_display_name, :password => pass, :inactive => true)
        @notice = I18n.t('user.login.account not active')
      else
        @notice = I18n.t('user.login.auth failure')
      end

Change History (2)

comment:1 Changed 9 years ago by tom@…

This is a difficult area - it is generally considered to be good security practice not to indicate exactly why a login failed as it makes it easier for somebody searching for valid credentials to know which value to change next time round.

comment:2 Changed 9 years ago by TomH

  • Resolution set to wontfix
  • Status changed from new to closed

I really don't see that this is an issue - the first thing that somebody is going to do when being told that it "could not log in with those details" is to try again at which point they will probably get the password correct and will be told the account is not active yet.

The only gain here is that somebody that hasn't confirmed their account *and* who types their password wrongly will be reminded to confirm the account without having to go to the trouble of typing their password again.

Note: See TracTickets for help on using tickets.