Bug #75685 for Apache2-AuthCookieDBI: $ENV{'REDIRECT

Sun Mar 11 00:57:33 2012 ccolumbu [...] gmail.com - Ticket created

Subject:

$ENV{'REDIRECT_AuthCookieReason'} value

When a user fails to login the module writes a descriptive error message, however the $ENV{'REDIRECT_AuthCookieReason'} value is just "bad_credentials" so there is no way to tell the user things like "Your account is not active yet". I don't think you should tell the user that the username entered does not exist, because hackers can use that for brute force attacks, but some programmers might want to display that type of message, and the bad_credentials does not tell you if it is an undefined user name, or just a bad password for a valid username. Is it possible to make that var more descriptive?

Sun Mar 11 14:37:03 2012 matisse [...] spamcop.net - Correspondence added 5 min

Subject:

$ENV{'REDIRE:CT_AuthCookieReason'} value

On Sun Mar 11 00:57:33 2012, ccolumbu wrote: Show quoted text

> When a user fails to login the module writes a descriptive error > message, however the $ENV{'REDIRECT_AuthCookieReason'} value is just > "bad_credentials" so there is no way to tell the user things like "Your > account is not active yet". > I don't think you should tell the user that the username entered does > not exist, because hackers can use that for brute force attacks, but > some programmers might want to display that type of message, and the > bad_credentials does not tell you if it is an undefined user name, or > just a bad password for a valid username. > > Is it possible to make that var more descriptive?

That message is set in the base class: AuthCookie.pm in the login() method, so you should file a request on that distro: https://rt.cpan.org/Dist/Display.html?Name=Apache-AuthCookie

Sun Mar 11 14:37:04 2012 The RT System itself - Status changed from 'new' to 'open'

Sun Mar 11 14:37:04 2012 matisse [...] spamcop.net - Status changed from 'open' to 'rejected'

Bug #75685 for Apache2-AuthCookieDBI: $ENV{'REDIRECT_AuthCookieReason'} value