A minor improvement in Ruby on Rails Authlogic (06 dec 12)
Used carelessly, Authlogic's user_sessions_controller might give too much away. If a user fails to log in (action user_sessions_controller.create) and displays the errors in @user_sesssion, it might say 'password incorrect' or 'email incorrect' - this gives too many clues to a cracker *. I made the code in 'create' give a more generic message:
def create
@user_session = UserSession.new(params[:user_session])
respond_to do |format|
if @user_session.save
format.html { redirect_to('/', :notice => 'Logged in') }
format.xml { render :xml => @user_session, :status => :created, :location => @user_session }
else
# This used to say errs = @user_session.errors.full_messages.join( ' ' )
errs = 'Not logged in - email or password invalid'
flash[:notice] = errs format.html { render :action => "new" } format.xml { render :xml => @user_session.errors, :status => :unprocessable_entity } end end end
* 'Cracker' is the correct term for what the media calls a 'hacker'. A hacker is just a programmer.