After hotfix 125 login hiccups?

User login

Navigation

Active forum topics

I haven't ever seen Luminis 4
18 hours 56 min ago
Wouldn't work
19 hours 1 min ago
That's a bit disappointing.
19 hours 51 min ago
Make sure to single-click, not double-click links to SSB
22 hours 35 min ago
Thanks!
22 hours 46 min ago
I can pretty much guarantee
23 hours 31 min ago
Load balance lp5
1 day 15 hours ago
can I force two users to have the same email address
1 day 17 hours ago
Channel ID
1 day 21 hours ago
Thanks Todd I will start
1 day 22 hours ago

Who's new

pettis1
leggn
srattans
fjenks
vartanc

Submitted by yeah on Wed, 2010-02-24 20:03

We havea custom login page that uses a javscript call Luminis to first see if the systems is going to log the user in with the entered username/password combination.

All it does is fatch the html and see if there is the string "Failed Login" in the html. If so, we just show them a "bad password" like message.

However, with the recent patch to 4.2.1.125, this doesn't work 100% of the time. About 10% of the time, the javascript is presented an empty string. This isn't that big a deal, the javascript doesn't see the string its looking for and just sends the user on to Luminis. If the password is wrong, Luminis's default message is displayed.

My question is are others seeing it where nothing shows up when user logs in? I haven't tested the default login to see.

I think I'm just going to move on, its not detrimental, but the inconsistency is annoying. If any of you are seeing this and have a solution or would like to work on a solution together, let me know.

why would you do that

Submitted by libdms on Thu, 2010-02-25 06:39.

I ask because you could always customise the "cannot find username/password pair" page instead.

We are putting together a modification for our login page, that checks whether the username is is AD first. If it is, then we want to disable the Luminis copy of the previous AD password. That way, when we hit the Fall Through auth chain we do not get undesired behaviour.

Our chain goes like this

1) Check against AD

2) Check against LP ldap

3) username/password pair error

I actually consider the way Luminis takes the current password used to log in and stores it in the LDAP in the same field that is then used for Step 2) a real security error and poor implementation choice. The purpose that the current password is stored is so that GCF can use it and the secret store can be unlocked. Where only Step 2) exists in the chain you can get away with it, but as soon as Step 1) is introduced it is easy to demonstrate problems.

Derek
University of Leeds, UK

many reasons

Submitted by yeah on Thu, 2010-02-25 17:13.

Really this was just a simple way to do it. Quick javascript reading was all that was necessary.

Was anyone else's login's affected by the hotfix 125 upgrade?

LDN - Luminis Developer Network

User login

Navigation

Active forum topics

Recent comments

Who's new

Who's online