Method: Authlogic::Session::Password::Config#generalize_credentials_error_messages

Defined in:

lib/authlogic/session/password.rb

#generalize_credentials_error_messages(value = nil) ⇒ Object Also known as: generalize_credentials_error_messages=

The text used to identify credentials (username/password) combination when a bad login attempt occurs. When you show error messages for a bad login, it’s considered good security practice to hide which field the user has entered incorrectly (the login field or the password field). For a full explanation, see www.gnucitizen.org/blog/username-enumeration-vulnerabilities/

Example of use:

class UserSession < Authlogic::Session::Base
  generalize_credentials_error_messages true
end

This would make the error message for bad logins and bad passwords look identical:

Login/Password combination is not valid

Alternatively you may use a custom message:

class UserSession < AuthLogic::Session::Base
  generalize_credentials_error_messages "Your login information is invalid"
end

This will instead show your custom error message when the UserSession is invalid.

The downside to enabling this is that is can be too vague for a user that has a hard time remembering their username and password combinations. It also disables the ability to to highlight the field with the error when you use form_for.

If you are developing an app where security is an extreme priority (such as a financial application), then you should enable this. Otherwise, leaving this off is fine.

• Default false

• Accepts: Boolean

# File 'lib/authlogic/session/password.rb', line 77

def generalize_credentials_error_messages(value = nil)
  rw_config(:generalize_credentials_error_messages, value, false)
end