Skip to content

Commit

Permalink
Avoid hints for an invalid password attempt
Browse files Browse the repository at this point in the history
In case a (malicious) user gets a correct username, avoid showing hint
for invalid password attempts as they can guide a brute force attack.
  • Loading branch information
shivansh committed Jun 25, 2017
1 parent 25ef912 commit 3c14805
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions flash_cards.py
Original file line number Diff line number Diff line change
Expand Up @@ -260,9 +260,9 @@ def login():
error = None
if request.method == 'POST':
if request.form['username'] != app.config['USERNAME']:
error = 'Invalid username'
error = 'Invalid username or password!'
elif request.form['password'] != app.config['PASSWORD']:
error = 'Invalid password'
error = 'Invalid username or password!'
else:
session['logged_in'] = True
session.permanent = True # stay logged in
Expand Down

0 comments on commit 3c14805

Please sign in to comment.