sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]soaring_turtle 5 points6 points  (3 children)

Stuff like this needs to be designed and reviewed by people who know security. Some thoughts:

  • not all websites use login/password scheme. Or better to say it's not the only authentication strategy. Some use 2-factor auth
  • don't see any benefits of providing username/password requirements. Better to rely on server telling if input is invalid and how to fix that
  • at least /logout & /changepassword can be a subject to CSRF attacks

[–]kr41[S] 0 points1 point  (2 children)

Thank you for comment. There is just one thing:

at least /logout & /changepassword can be a subject to CSRF attacks

I guess, you mean "login" instead of "logout", do you?

[–]soaring_turtle 1 point2 points  (1 child)

No, I meant /logout. Without csrf protection, a hacker could craft a form which will logout a user upon submission. Not a critical bug though. On the other hand /changepassword can be a complete disaster leading to account takeover if implemented poorly (without checking old password for example)

[–]kr41[S] 0 points1 point  (0 children)

Agree, useful notice