login error handling?

[johnnys]

Hi Guys,

 

I have created an application that has a login page and authenticates users based on Active Directory info.

 

It works fine for some users, however some are complaining of not being able to login. Currently when login fails, I have output 'Login Incorrect, please try again'. This is also sent to a log file which I can access,

 

I want to be able to troubleshoot this better, what would be the best way of doing this? All new to me im afraid!

 

Would it be an idea to create a custom message saying USERNAME incorrect and PASSWORD incorrect, narrowing it down for user?

 

Thanks in advance,

 

J

[mac_gyver]

the information you are logging should be as specific as possible. exactly why the login is failing, along with what the inputs are, the ip address, date/time...

 

while you need to give the user helpful information (is the login failing due to the values they entered, which if they re-enter correctly would work or due to a system error they cannot do anything about), you don't want to make it easy for someone to brute force/automate guessing usernames and passwords. unless you have bad-attempt counting and lockout, you would not want to tell the user if it is the username or the password that is causing the login to fail, just that it failed due to the values they entered ... try again.

Edited October 11, 2013 by mac_gyver

[johnnys]

Thanks for that advice, I was thinking I probably shouldn't make it easy for people to guess!

 

Currently my log file says 

2013-10-11 14:34:28 Cron Job - INFO --> Login Failed for: xxxxxxxxxxxx from IP xxx.xxx.xxx.xxx

How can I make this more detailed? I was searching alreday, but if anybody can point me in the right direction that would be great. 

[mac_gyver]

it depends on what your code is doing/detecting. when validating/using user supplied input, just about every conditional test could have an else statement to do something with the value(s) that failed the test.