Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Right now, a failed login has a drupal_set_message of
Sorry, unrecognized username or password. Have you forgotten your password?
That just helps an attacker know they need to try again. It'd be nice to figure out a way to unset that before it gets displayed. Maybe hook_exit() can unset a part of a global var somewhere to accomplish it.
Comments
Comment #1
ilo CreditAttribution: ilo commentedThe configuration options allow the administrator to show or hide this information. In fact displaying this information was a request.
Note: cleaning issue queue
Comment #2
deekayen CreditAttribution: deekayen commentedTo clarify, I'm not talking about login_security_notice_attempts_available. That shows how many remaining attempts there are for logging in. I mean an option that will unset the aforesaid core message from the session. There was some general session message killing code in there that wiped out the entire list of session messages, but it was not an option and indiscriminate to the content of the messages. I took it out yesterday.
Comment #3
ilo CreditAttribution: ilo commentedmm.. ok, I misunderstood it, now I see clearly. are you going to take this issue? or should I?
Comment #4
deekayen CreditAttribution: deekayen commentedComment #5
deekayen CreditAttribution: deekayen commentedhttp://cvs.drupal.org/viewvc.py/drupal/contributions/modules/login_secur...