Error message when login fails

Patrick Schulte · ‎05-04-2014

Hello everyone,

we are using the predefined "Login" dynamic content block and modyfied the layout to meet our needs.
Everything works out fine but I would like to know which script service now is using to verify the users credentials.
Usecase: For better usability I would like to split up the current error message if either the username is wrong and/or the password.
Current message: User name or password invalid.

That's not really specific....

I found the "PortletLogin" in Script Includes but that doesn't seem to be the right one. Any ideas?

Best regards,

Patrick

marcia_jones · ‎06-11-2014

Hi Patrick,

I would recommend that you leave the message as it. As an IS Auditor, from a security perspective, generic is better. You do NOT want to tell a hacker which part of the login process they have right or wrong.

My two cents.

Marcia,

CISA

View solution in original post

marcia_jones · ‎06-11-2014

Hi Patrick,

I would recommend that you leave the message as it. As an IS Auditor, from a security perspective, generic is better. You do NOT want to tell a hacker which part of the login process they have right or wrong.

My two cents.

Marcia,

CISA

Jim Coyne · ‎06-11-2014

Agree 100%. I understand wanting to help the users out as much as possible, but that would not be a good idea in this particular case.

Patrick Schulte · ‎06-11-2014

We discussed this internally and came to the same conclusion .
Anyways, thanks gusys for the valuable input.

Miguel Sanchez · ‎11-27-2014

Hi Marcia,

I have a similar need: I need to set a custom error message only when the error is related with a LDAP problem, to inform the user that he/she needs to change its password in Windows before to attempt to log-in again.

I've been trying to find where is the code which handles it, but I haven't found it... Any clue?

Many thanks!