[MAGNOLIA-2629] message for username / PW failure should be corrected Created: 20/Feb/09 Updated: 02/Dec/13 Resolved: 02/Dec/13 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Boris Kraft | Assignee: | Unassigned |
| Resolution: | Outdated | Votes: | 0 |
| Labels: | java5 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||
| Date of First Response: | |||||||||
| Description |
|
Currently if you mistype your password when logging into Magnolia, a message is displayed saying: "username and password do not match". Of course the username and password should not be the same, in other words, they should not match. Please correct the message to simply say "Wrong username and password combination" |
| Comments |
| Comment by Magnolia International [ 20/Feb/09 ] |
|
The current message seems to be quite standard, though. On the other hand, ours should probably simply be "Incorrect password.", because we actually output a different message when the username does not exist. |
| Comment by Magnolia International [ 20/Feb/09 ] |
|
Ha - I know why we used a generic message (non-specific to the password being wrong) : with Java 1.4, some of the specific LoginException subclasses (which is how we can know the username is invalid, for instance) did not exist - so we had to have at least one generic message. Tagging this with java 5, so when we'll start using java 5 niceness, hopefully we'll remember to clean this up. |
| Comment by Tobias Mattsson [ 02/Dec/13 ] |
|
Closing as outdated, message is now "Error during login. Please try again." The message is used regardless of whether the username or the password was incorrect, this is better security-wise because you can't by guessing deduce if a username is valid until you've also guessed the right password. |