Posted by deekayen on October 3, 2008 at 3:18pm
Jump to:
| Project: | Login Security |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | deekayen |
| Status: | closed (fixed) |
Issue Summary
Right now, a failed login has a drupal_set_message of
Sorry, unrecognized username or password. Have you forgotten your password?
That just helps an attacker know they need to try again. It'd be nice to figure out a way to unset that before it gets displayed. Maybe hook_exit() can unset a part of a global var somewhere to accomplish it.
Comments
#1
The configuration options allow the administrator to show or hide this information. In fact displaying this information was a request.
Note: cleaning issue queue
#2
To clarify, I'm not talking about login_security_notice_attempts_available. That shows how many remaining attempts there are for logging in. I mean an option that will unset the aforesaid core message from the session. There was some general session message killing code in there that wiped out the entire list of session messages, but it was not an option and indiscriminate to the content of the messages. I took it out yesterday.
#3
mm.. ok, I misunderstood it, now I see clearly. are you going to take this issue? or should I?
#4
#5
http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/login_secur...
#6
Automatically closed -- issue fixed for 2 weeks with no activity.