[JDEV] Returning a different response code for non-existent users

Miguel A.L. Paraz map at internet.org.ph
Wed Oct 10 11:06:54 CDT 2001

On Wed, Oct 10, 2001 at 10:44:55AM -0500, Thomas Muldowney wrote:
> The reason it is like this is one of those classic security reasons,
> telling the user if their password was wrong or if the user does not
> exist allows an attacker to wander around and find an account possibly
> by guessing names.  Then they can begin to attack the password because
> they will get a definate error when it is wrong.  Many clients store a
> flag to know if they have an account already or they will have a
> checkbox or wizard for new user creation.  I'll have to poke aroudn to
> find out where to hook in for the change you want though.

I understand this.
This is why I'm asking, would it better to:

tell the client that the user does not exist, 
so that the client can register without prompting the user, 

or not tell the client that the user does not exist, and automatically
register and login the user?

The client already knows in advance what password to use since the dialup
password will be used along with RADIUS authentication on the server end.

(I have successfully combined xdb_sql with mod_auth_radius)

More information about the JDev mailing list