Right now, a failed login has a drupal_set_message of

Sorry, unrecognized username or password. Have you forgotten your password?

That just helps an attacker know they need to try again. It'd be nice to figure out a way to unset that before it gets displayed. Maybe hook_exit() can unset a part of a global var somewhere to accomplish it.

Comments

ilo’s picture

ilo CreditAttribution: ilo commented
Status: Active » Closed (works as designed)

The configuration options allow the administrator to show or hide this information. In fact displaying this information was a request.
Note: cleaning issue queue

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Status: Closed (works as designed) » Active

To clarify, I'm not talking about login_security_notice_attempts_available. That shows how many remaining attempts there are for logging in. I mean an option that will unset the aforesaid core message from the session. There was some general session message killing code in there that wiped out the entire list of session messages, but it was not an option and indiscriminate to the content of the messages. I took it out yesterday.

ilo’s picture

ilo CreditAttribution: ilo commented

mm.. ok, I misunderstood it, now I see clearly. are you going to take this issue? or should I?

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Assigned: Unassigned » deekayen
deekayen’s picture

deekayen CreditAttribution: deekayen commented
Status: Active » Fixed

http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/login_secur...

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • deekayen committed d689c08 on 6.x-1.x, 8.x-1.x 
    #316736 - remove any indication of authentication failure until logon...
  • deekayen committed ed29ad8 on 6.x-1.x, 8.x-1.x
    #316736 followup to remove new var on uninstall