We have moved to GitHub Issues
Created by Murray Roke 03 Jul 2018, 22:18:20 Updated by Murray Roke 31 Jul 2018, 07:48:47Tags: Up For Grabs
When you login, if for any reason an exception occurs. eg: DB offline, config error, etc... I would expect to get an error message. However I get the incorrect login message.
This wastes time when troubleshooting.
While this is definitely a pain in the behind, it is also very much a security problem. If you reveal, for example, that the username was not found then a hacker could start enumerating usernames to find a valid one, before starting to try to enumarate possible passwords against the username.
So what I would suggest is: we leave the generic message in place, if debug is set to false in web.config. Your live sites should not run in debug mode, so we'll never see specific messages.
When, however debug is set to true, we could bubble up the underlying error message and show what is actually going on to (presumably) the developer working on the site.
Care to give a go at sending a PR for this functionality? I've set this to Up for grabs for you or someone else who comes along to give it a go!
Your suggestion would solve most issues, but even in live would it not be ok (perhaps?) to surface just 2 kinds of errors? eg an exception (server error) vs any other kind of login failure.?
Type: Feature (request)
Backwards Compatible: True
Affected versions: 7.10.4
Due in version: