I have a request to change our new account creation to just log a customer into an existing account if the specified username/password already exists. I have already made the argument that this isn't standard behavior, but unless there's some sort of security flaw, they want to move forward with this feature.
I can't think of any security risks, but I'm certainly not a security expert. Does anyone know of a good reason not to implement this feature?
Edit: The customer who was attempting to register a new account would just be logged into an account silently instead of giving them an error message that they can't use that username.
Aucun commentaire:
Enregistrer un commentaire