Question

As a Inactive user role if i login with Mendix login screen Its giving error like Username and password is incorrect but correct behaviour is like it should say Your account is not active

0

Steps : 1] From Administration screen created one X user and made active. 2] I was able to login with X user when it is active Now I once again logged in as Admin , I intentionally did inactive the user X 1] Now iam trying to login by user x it giving me error saying your account name or password is wrong but it should say like '’Account is inactive '’ If anyone has an idea to show the "Account is inactive ” message .

asked 2019-12-24

Darshan

1 answers

Rom van Arendonk · Answer 1 · 2019-12-25

You could create your own login page and display more detailed error messages. However, it is an accepted practice to show a user as few details as possible when authentication fails, so that an attacker of your system can’t get the information either:

If it says: user does not exist, an attacker knows he should try a different user name
If it says: password is incorrect, the attacker now knows that the account exists
If it says: your account is disabled, the attacker now knows that the account exists and that the password is correct

By having a generic message, the attacker learns nothing.