A couple of questions about ASP.Net Core default implementation for login security
By default, ASP.Net Core configures the login exercise with a couple of things that seem strange to me. I'd like someone who knows more about infosec than I to comment on these please.
First, it sends an email to a user upon registration containing a confirmation link. The confirmation link contains BOTH the user ID (the primary key of the user record in the database) and a "token" that expires by default in one day. My question here is: It seems like a bad idea to put the user ID in plain text in the confirmation URL. (It seems to me that, in earlier versions of the Identity framework, the token had the user ID encoded in it, all happily encrypted. I may be wrong about this.)
Second, if a user logs in with correct credentials (username and password), but hasn't yet fed the authentication token back into the system (via the link in the email), the login POST routine simply says "bad login attempt". It gives the user no clue that login failed because the user needs to find the confirmation email and deal with it. If I modify this code to tell the user "you need to find that email, or click here to resend the confirmation email", is that a bad thing for some reason?
