rod mclaughlin

A minor improvement in Ruby on Rails Authlogic (06 dec 12)

Used carelessly, Authlogic's user_sessions_controller might give too much away. If a user fails to log in (action user_sessions_controller.create) and displays the errors in @user_sesssion, it might say 'password incorrect' or 'email incorrect' - this gives too many clues to a cracker *. I made the code in 'create' give a more generic message:


  def create
    @user_session = UserSession.new(params[:user_session])
    respond_to do |format|
      if @user_session.save
        format.html { redirect_to('/', :notice => 'Logged in') }
        format.xml  { render :xml => @user_session, :status => :created, :location => @user_session }
      else

# This used to say errs = @user_session.errors.full_messages.join( ' ' )
        errs = 'Not logged in - email or password invalid'
        flash[:notice] = errs
        format.html { render :action => "new" }
        format.xml  { render :xml => @user_session.errors, :status => :unprocessable_entity }
      end
    end
  end

* 'Cracker' is the correct term for what the media calls a 'hacker'. A hacker is just a programmer.

Back

Portland

London