Our team noticed that "Disable login failure error message" option under the login_security configs is not working. When a bad username or password is used at login, the default Drupal error message "Sorry, unrecognized username or password. Have you forgotten your password?" is appearing.

CommentFileSizeAuthor
#16 login_security-2074123-16.patch871 bytesshrop

Comments

shrop’s picture

shrop commented
Status: Active » Fixed

This issue was caused by a usability commit in Drupal 7.23. You can read about it in this issue.

This issue has been resolved in this commit.

shrop’s picture

shrop commented

Updates committed:

* Improved the preg_grep regex to include the user name and full message check compatible with Drupal core 7.23+
* Updated related simpltests to support the new error message
* Added check_plain() for the user name for value returned

shrop’s picture

shrop commented

I confirmed that this fix doesn't apply to the 5.x-1.x and 6.x-1.x branches. I then released login_security 7.x-1.6.

quiptime’s picture

quiptime commented

The bug still exist in 7.x-1.6.

quiptime’s picture

quiptime commented
Status: Fixed » Active
shrop’s picture

shrop commented
Status: Active » Postponed (maintainer needs more info)

@quiptime: Are you running Drupal core 7.23? This fix is only for that version and onward. If not, can you provide more details. I already have this fix deployed on production applications and it appears to be working fine. Thanks!

quiptime’s picture

quiptime commented

The error occurs on Drupal core 7.23.

The login page use math Captcha 7.x-1.0.

The bug is fixed login_security 7.x-1.6?

shrop’s picture

shrop commented

Thanks for the details! So, it sounds like an interaction issue with math captcha. Have you tried login_security 7.x-1.7?

I wonder if it is a weight issue where math captcha is getting to reset the login form first?

quiptime’s picture

quiptime commented

The problem still exist with

  • Drupal 7.23
  • login_security 7.x-1.7
  • without the use of the Captcha module

My Login Security configuration:

The option Disable login failure error message is enabled. All other configurable options use the default values.

shrop’s picture

shrop commented

Thanks for that clarification @quiptime.

I did go back and do some tests on one of our production sites with the latest login_security codebase. The display login failure error messages do stay hidden as expected for the latest versions of Safari, Chrome, FireFox, and IE10. I then ran drush quick-drupal with Drupal 7.23 and Login Security 7.x-1.7. The feature also works fine there with default options and "Disable login failure error message" enabled.

Just to clarify, when you have "Disable login failure error message" enabled/checked, you still see the "Sorry, unrecognized username or password. Have you forgotten your password?" message? That is not the case for me, but just wanted to be sure that is what you mean by your report that it isn't working.

I will leave this issue open with "needs more information" for a while to see if others report problems as you have seen. I don't think there is any more I can do until we have more info.

Thanks!

quiptime’s picture

quiptime commented

Just to clarify, when you have "Disable login failure error message" enabled/checked, you still see the "Sorry, unrecognized username or password. Have you forgotten your password?" message? That is not the case for me, but just wanted to be sure that is what you mean by your report that it isn't working.

Yes, I mean the message "Sorry, unrecognized username or password. Have you forgotten your password?".

quiptime’s picture

quiptime commented

I have a little bit debugged your code.

  // Login failed.
  $messages = drupal_get_messages('error', FALSE);

  if (!empty($messages['error'])) {
    $password_message = preg_grep("/<a href=\"\/user\/password\?name=$name\">Have you forgotten your password\?<\/a>/", $messages['error']);
    $block_message = preg_grep("/The username <em class=\"placeholder\">$name<\/em> has not been activated or is blocked./", $messages['error']);

    if (user_is_anonymous() && (!empty($password_message) || !empty($block_message))) {

My debug result

On the login page, a user is every time anonymous.
The function user_is_anonymous() makes no sense.

The variables $password_message and $block_message are arrays.
The usage of !empty($password_message) and !empty($block_message) does not work for an array.

My bug fix

    if (!count($password_message) || !count($block_message)) {

With this code, the message "Sorry, unrecognized username or password. Have you forgotten your password?" are hidden if a login failed.

shrop’s picture

shrop commented

Thanks! I didn't think about preg_grep returning an array. Of maybe it is our version of PHP or something. It worked for me in multiple cases, but your change looks right.

Do you mind uploading a patch?

shrop’s picture

shrop commented
Status: Postponed (maintainer needs more info) » Needs work

Changing to "needs work"

shrop’s picture

shrop commented

Also, related simpletests pass for me using 7.x-1.7. I would love some input on how to improve those tests where they would have caught this bug.

shrop’s picture

shrop commented
Issue summary: View changes
Status: Needs work » Fixed
StatusFileSize
new login_security-2074123-16.patch871 bytes

Applied quiptime's fix to 7.x-1.x. The patch is also attached here for reference. I confirmed that this fixed the issue. I finally had this happen on a web app so it was easy for me to see quiptime's issue. Thanks for the help!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

  • shrop committed b0e6fba on 7.x-1.x, 8.x-1.x 
    Issue #2074123 by shrop: Fixed regex in a preg_grep() to check if login...
  • shrop committed c7ffe88 on 7.x-1.x, 8.x-1.x
    Issue #2074123 by shrop: Additional refinements to the "Disable login...
  • shrop committed e0c2e40 on 7.x-1.x, 8.x-1.x
    Issue #2074123 by shrop: Added a check_plain() for the username value
  • shrop committed 45dfdf3 on 7.x-1.x, 8.x-1.x authored by quiptime
    Issue #2074123 by quiptime: Fixed disable login failure error message...
my-family’s picture

my-family commented
Version: 7.x-1.x-dev » 7.x-1.9
Priority: Normal » Major

UPDATED:

Disabling the core message works. However, if this option is enabled (together with the "Notify the user about the number of remaining login attempts " checkbox), there is another problem:

There is no message about blocking the user. Instead, the login form refreshes with the warning (yellow) message about attempts number.