0

I am using the MVC5 login Identity authentication code below:

    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public ActionResult Login(LoginViewModel model, string returnUrl)
    {
        if (ModelState.IsValid)
        {
            // Validate the password
            IdentityResult result = IdentityManager.Authentication.CheckPasswordAndSignIn(AuthenticationManager, model.UserName, model.Password, model.RememberMe);
            if (result.Success)
            {
                return Redirect("~/home");
            }
            else
            {
                AddErrors(result);
            }
        }

        // If we got this far, something failed, redisplay form
        return View(model);
    }

The code gives a message if the password is not correct but if the username does not exist it gives the same message saying "Incorrect password."

Does anyone out there have a solution that also does a check for the username existing and gives a correct message if it does not exist ? Note that I am using ASP.Net Identity so it would need to be a solution for this and not for the Simple Membership authentication

Samantha J T Star
  • 30,952
  • 84
  • 245
  • 427
  • For reference it is usually considered bad practice now to give a message more specific than "Incorrect username or password" as simply confirming the existence of an account with a given username can be helpful to those attempting to hack the application. – pwdst Nov 13 '13 at 12:14

1 Answers1

3

If you update to the 1.0 RTM Identity packages, you can check if a user exists by: UserManager.FindByName("username")

Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • Thank you. I tried this and will continue to check it out. Can you tell me will the stable release date for the 1.0 be the same as VS2013 release date? – Samantha J T Star Oct 20 '13 at 15:25