User enumeration and error messages #220
Description
When attempting to log in with an email address for which there is no user the client a form alert message "This account does not exist." This is unfortunate, as it easily allows for enumerating valid users.
Another thing is when supplying a password shorter than 8 characters the client receives a message that the password must be at least 8 characters long when logging in. This is done client-side, but I can confirm the server also sends this message back if I make the client send the password anyway. I think we shouldn't disclose such policies to the client.
Prior to #219 invalid or stale session cookies were logged and sent to the client as a flash message, too.