Sean M Puckett
@jhwoodyatt I see it as a security issue. i.e. Don't confirm the user ID if the password is wrong.
It really bugs me that HTTP returns different error codes for "it's not there" and "you can't have it".
-
-
-
Tweet unavailable
-
@jhwoodyatt hrm. The issue is the metadata about what is or is not there, provided by the error code. It narrows a point of attack. -
Tweet unavailable
-
@jhwoodyatt Except when the authentication failure tells me where the resource lives. -
Tweet unavailable
-
@jhwoodyatt It's a security problem. There doesn't seem to be a 4xx response for "nothing to see here", though 403 "forbidden" is close.
-
-
-
@PhotoPuck You don't think the distinction is useful in practice? (I guess I can see that and web sites are inconsistent about it anyways.) -
@thatcks I find the parallels to badly designed password checkers disturbing. Don't confirm a user id is valid if the password isn't. -
@PhotoPuck You're right, I hadn't thought of it that way before. I usually know the URL should exist due to outside links.
-
Chris Siebenmann
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.