Issue
- The user is not prompted for login but to a 404 page when navigating in pages with restricted access if the user session expires or, if the user is not logged in and tries to access directly the url.
Environment
- DXP 7.4
Resolution
- We disable this feature, that is present in former versions of DXP, to avoid the potential risks of the user enumeration and page enumeration attack vector.
- When the Login Prompt is enabled, an attacker can guess users or private/restricted pages simply by the different responses the portal gives when accessing existing vs non-existing pages.
- This behaviour can be reverted from Control Panel -> System Settings ->Login ->Login Prompt Enabled.
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In