-1 If a person brute forces your site and finds the correct username / password they could try this on other sites (gmail, banking, etc..) While it would make it a little more clear I think the implications are too big.
On Sep 13, 3:14 pm, Adam Jenkins <[email protected]> wrote: > On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <[email protected]> wrote: > > Hi, thanks for your quick responses! > > > Flavio, Jan and Florian, it only "gives away information" when an > > attacker guesses both the username and the password right. > > I think this is the correct approach. Give them the access warning on > correct login. It also seems to be the standard way to doing such > things in my experience. > > > > > But if he can guess those right, he could already access the users > > information using the normal login! So giving this message does not > > change the danger. On the other hand, it would prevent lots of > > confusion. > > We really shouldn't be confusing the end user. It's just bad design to do so. > > > > > > > > > > > But we are repeating arguments here, so could you please read: > > >http://groups.google.com/group/django-developers/browse_thread/thread... > > > before responding? > > > Thanks! > > > Wim > > > On 13 sep, 19:23, Flávio Amieiro <[email protected]> wrote: > >> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd] > > >> <[email protected]> wrote: > >> > +1, if the user/pass is entered, that user is entitled so know what its > >> > own > >> > permissions are. > >> > The error should give "You have insufficient access to this page" or > >> > something like that. > > >> The thing is: if someone does a brute force attack on '/admin/' and > >> gets this message back, they know there's a user with that > >> login/password in the system. Since brute force attacks using common > >> login/password pairs in this kinds of urls is so common, I think this > >> exposes your user more than necessary. > > >> -1 > > > -- > > You received this message because you are subscribed to the Google Groups > > "Django developers" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/django-developers?hl=en. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
