Opened 11 years ago

Closed 10 years ago

#1908 closed defect (wontfix)

Unconfirmed users get a message saying their password is incorrect if they don't enter it correctly

Reported by: avar Owned by: Tom Hughes
Priority: trivial Milestone:
Component: website Version:
Keywords: auth Cc:


  • Create a user
  • Don't confirm it with the e-mail auth
  • Try to log in with the correct user/password
  • Try to log in with the correct user/wrong password

If the user is not authenticated and someone enters the password for that user incorrectly the web UI will whine about not being able to log in with those details. That's silly, if the user is unconfirmed it should whine about that regardless of whether an incorrect password is entered.

Relevant code in the user controller:

     user = User.authenticate(:username => email_or_display_name, :password => pass)
      if user
        session[:user] =
        if params[:referer]
          redirect_to params[:referer]
          redirect_to :controller => 'site', :action => 'index'
      elsif User.authenticate(:username => email_or_display_name, :password => pass, :inactive => true)
        @notice = I18n.t('user.login.account not active')
        @notice = I18n.t('user.login.auth failure')

Change History (2)

comment:1 Changed 11 years ago by Tom Hughes

This is a difficult area - it is generally considered to be good security practice not to indicate exactly why a login failed as it makes it easier for somebody searching for valid credentials to know which value to change next time round.

comment:2 Changed 10 years ago by Tom Hughes

Resolution: wontfix
Status: newclosed

I really don't see that this is an issue - the first thing that somebody is going to do when being told that it "could not log in with those details" is to try again at which point they will probably get the password correct and will be told the account is not active yet.

The only gain here is that somebody that hasn't confirmed their account *and* who types their password wrongly will be reminded to confirm the account without having to go to the trouble of typing their password again.

Note: See TracTickets for help on using tickets.