[JDEV] Re: Returning a different response code for non-existent users
chk at pobox.com
Tue Oct 9 10:45:05 CDT 2001
> With the current setup, the client cannot tell if the 401 is due to
> the user not existing, or an incorrect password.
I'm sure this is by design. It's a serious security flaw to allow an
attacker to know the difference between "unknown user" and "incorrect
Harald Koch <chk at pobox.com>
"It takes a child to raze a village."
-Michael T. Fry
More information about the JDev