<quote> The servlet (which will eventually be connected to an LDAP server, but is just checking string values for now) determines if my hard-coded username/password values are correct. If not, then I set a "Username invalid!" flag (and also a "Password invalid!" flag if necessary), and then forward back to the login screen so that the error message(s) may be displayed. </quote>
Andy, Just from a security perspective, I would recommend that you not alert your users as to exactly what went wrong with their login. If you do, you would be making it that much easier for malicious users to hack into your application. For example, if a hacker were to just randomly guess at a username and password, and you returned the message "Password invalid", you've informed the hacker that he's correctly guessed a username, and now he just has to crack that user's password. A more generic error message like "Username/password invalid", regardless of which field is actually invalid, is therefore recommended. Hope this helps, Mike ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
