[JDEV] Re: Returning a different response code for non-existent users

Harald Koch chk at pobox.com
Tue Oct 9 10:45:05 CDT 2001

> With the current setup, the client cannot tell if the 401 is due to
> the user not existing, or an incorrect password.

I'm sure this is by design. It's a serious security flaw to allow an
attacker to know the difference between "unknown user" and "incorrect

Harald Koch     <chk at pobox.com>

"It takes a child to raze a village."
		-Michael T. Fry

More information about the JDev mailing list