[JDEV] Re: Returning a different response code for non-existent users

[Harald Koch]

> With the current setup, the client cannot tell if the 401 is due to
> the user not existing, or an incorrect password.

I'm sure this is by design. It's a serious security flaw to allow an
attacker to know the difference between "unknown user" and "incorrect
password".

-- 
Harald Koch     <chk at pobox.com>

"It takes a child to raze a village."
		-Michael T. Fry