Comment by philh
10 years ago
I remember finding somewhere that let me sign up with a +, but not log in with it - unless I disabled client-side validation, at which point the server was happy to let me in.
10 years ago
I remember finding somewhere that let me sign up with a +, but not log in with it - unless I disabled client-side validation, at which point the server was happy to let me in.
If you ever order from HobbyKing (not the store I mentioned previously) do NOT have a plus in your email. It gets converted silently to a space in their internal systems and their customer support has absolutely 0 access or escalation.
They outsource everything, and ultimately it took me months to sort everything out.
That's insanely insecure. Can't believe client side validation would be used for a login system other than as a first check
I still needed the password (or so I assume). It was just a first check that was stricter than it should have been.
This is why backend and frontend need to share code!
I wouldn't be surprised if there were a significant number of bugs that have been fixed by deleting code.