login and forgot password feedback for users valid with OWASP recommedations

Question

login and forgot password feedback for users valid with OWASP recommedations

mfederowicz opened this issue 2 years ago · comments

Hi @KalleHallden I know that login feedback for users were raised in that PR
but for seucrity reasons i think will be good to use OWASP recommendations for that kind of labels (ie: dont inform user that used credentials match/dont match to existing accout)

source of correct and incorrect responses

Sujan Pradhan · Answer 1 · Mon Aug 15 2022 12:03:24 GMT+0800 (China Standard Time)

Great. I guess we can change Login error responses to "Login failed; Invalid email or password."

But for Account Creation,

As of now, we dont have any verification email sent to user mail, so do we have any suggestion for that?

Marcin Federowicz · Answer 2 · Mon Aug 15 2022 19:06:56 GMT+0800 (China Standard Time)

Hmm, it is not good to give users access to system without veryfication of email account. I know that application is in early development stage, but maybe it is good point to think about it :)

kalle hallden · Answer 3 · Tue Aug 16 2022 16:05:43 GMT+0800 (China Standard Time)

Yeah I think this is a good thing to correct as well.

kalle hallden · Answer 4 · Wed Aug 17 2022 21:03:06 GMT+0800 (China Standard Time)

@all-contributors please add @suzanpradhan for project management and ideas & planning

stale · Answer 5 · Wed Sep 21 2022 20:39:09 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.