+1 on this. Messages should not give inaccurate information.
I think the current behavior is also eventually detrimental to security.
In a real life setting this leads to superfluous password resets and
helpdesk queries - all leading to worse password choices by the common
user, besides the wasted time and effort.
Obviously, the new message should only be shown if the usernamd and
password are matched correctly.
Yishai
On Wed, 09 Mar 2011 10:39:53 +0200, artemy tregubenko <m...@arty.name> wrote:
Hello.
I've recently reported a bug[1] in django but got advice to discuss it
here on django-developers first.
When a user having is_staff=False provides correct username and password
to admin login page, he gets a message "Please enter a correct username
and password. Note that both fields are case-sensitive." This message is
wrong, because username and password are correct. Proper message should
be something like "You do not have permissions to enter admin area."
I want to emphasize once more that when username/password combination is
wrong, message should be about wrong credentials. But when
username/password combination is correct, message should be about
permissions.
Russellm opposed that idea saying: "This isn't a good idea, because it
can be used by an attacker to identify admin accounts. This would be a
leak of potentially sensitive information, narrowing the scope for any
attack."
I consider that point not valid for following reasons:
* If attacker has no access to any login or password, he will still see
"wrong password" message.
* If attacker has access to login and password of one user, it won't
help him to know that this user is not an admin.
* If attacker knows all logins and passwords, proposed change won't make
attack any easier: attacker will just try them one after another.
That's why I think that proposed change doesn't weaken security and
should be implemented.
I'm strongly in favor of this change, because my mind was blown off when
during debug I could login to a site with my credentials, but not to
admin section. I've lost some time looking for a bug in my code until I
checked is_staff flag.
1: http://code.djangoproject.com/ticket/15567
--
You received this message because you are subscribed to the Google Groups "Django
developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
