Task #52043
closed
AbstractUserAuthentication::checkAuthentication fail to log unknown username
0%
Description
If a user logs in with an unknown username the login try does not get logged. Based on this its not possible to display messages based on the count of failed logins. On the other side its possible to "guess" usernames be different behaviour of the loginscreen. Because of this it would be good to write a failed login to sys_log even with an unknown username.
Updated by Gerrit Code Review about 11 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23853
Updated by Thorsten Kahler about 11 years ago
- Tracker changed from Bug to Feature
Updated by Sebastian Fischer about 11 years ago
Why was this issue declassified to only be a feature? By having no logging of unknown usernames the server reacts different and not only is a counting of failed logins due to unknown users is not possible but also other sidechannel attacks are possible.
From my point of view this is truly a bug and not a feature that is nice to have.
Updated by
Updated by Gerrit Code Review about 11 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23853
Updated by Christian Kuhn about 11 years ago
- Status changed from Under Review to Rejected
not needed, information is already logged.