On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <[email protected]> wrote: > Hi, thanks for your quick responses! > > Flavio, Jan and Florian, it only "gives away information" when an > attacker guesses both the username and the password right.
I think this is the correct approach. Give them the access warning on correct login. It also seems to be the standard way to doing such things in my experience. > > But if he can guess those right, he could already access the users > information using the normal login! So giving this message does not > change the danger. On the other hand, it would prevent lots of > confusion. We really shouldn't be confusing the end user. It's just bad design to do so. > > But we are repeating arguments here, so could you please read: > > http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef > > before responding? > > Thanks! > > Wim > > > On 13 sep, 19:23, Flávio Amieiro <[email protected]> wrote: >> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd] >> >> <[email protected]> wrote: >> > +1, if the user/pass is entered, that user is entitled so know what its own >> > permissions are. >> > The error should give "You have insufficient access to this page" or >> > something like that. >> >> The thing is: if someone does a brute force attack on '/admin/' and >> gets this message back, they know there's a user with that >> login/password in the system. Since brute force attacks using common >> login/password pairs in this kinds of urls is so common, I think this >> exposes your user more than necessary. >> >> -1 > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
