retrieving the password from the db

[jimfog]

when the user tries to login...do you check that there is his username/password in the db solely based on the supplied(with the form) username? I mean something like this:

select * from credentials		   where email='tahtah@tahtah.com';

I am saying that because when the password is hashed in the dbhow can we cross check it with the one supplied by the user during the form. After the above, I compare the hashed password in the db with the user supplied password(after it has been hashed also) WHat do you do usually?

[justsomeguy]

It depends what kind of error messages you want to show. If you want different error messages for a missing username and a wrong password then you need to check them individually. If you want one error message that says either the username or password is wrong then you can check them both at the same time.

[jimfog]

what is the norm these days in a web app?Check them at the same time or individually?And also to add to this, the checking of the hash.

[justsomeguy]

There's not a "norm", people do things differently based on how they want their application to act. If usernames are sensitive data for you, where you don't even want people to be able to tell what usernames are registered, then you don't want an error message that says the username wasn't found.

[jimfog]

Οk got you thanks.