finished the first instance of broken auth and sess mgmt

app/controllers/sessions_controller.rb

@@ -6,6 +6,7 @@ class SessionsController < ApplicationController
     redirect_to home_dashboard_index_path if current_user
   end
   
+
   def create
      
       begin
@@ -17,6 +18,8 @@ class SessionsController < ApplicationController
         session[:id] = user.id if User.where(:id => user.id).exists?
         redirect_to home_dashboard_index_path
       else
+        # Removed this code, just doesn't seem specific enough!
+        #  flash[:error] = "Either your username and password is incorrect" 
         flash[:error] = e.message
         render "new"
       end

app/models/user.rb

@@ -9,6 +9,7 @@ class User < ActiveRecord::Base
   validates_uniqueness_of :email
   validates_format_of :email, :with => /.+@.+\..+/i
   
+
   def self.authenticate(email, password)
        auth = nil
        user = find_by_email(email)

app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb

@@ -90,7 +90,31 @@
           </div>
           <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+              <p>
+				<b> Username and Password Enumeration - SOLUTION</b>
+		      </p>
+		      <p> Within /app/controllers/sessions_controller.rb</p>
+              <pre class="ruby">
+				  def create
+
+				      begin
+				        user = User.authenticate(params[:email], params[:password])
+				      rescue Exception => e
+				      end
+
+				      if user
+				        session[:id] = user.id if User.where(:id => user.id).exists?
+				        redirect_to home_dashboard_index_path
+				      else
+				        flash[:error] =  "Either your username and password is incorrect" #e.message
+				        render "new"
+				      end
+
+				  end
+	 		  </pre>
+	 		  <p class="desc">
+		 	  	Although this fix is neither systemic nor does it address the problematic code at its core (within the user model), it does provide a quick solution. On line 12, we comment out the "e.message code" and instead provide a very generic error message that lacks specificity on what credential was incorrectly entered.
+		      </p>
             </div>
           </div>
         </div>
@@ -104,7 +128,10 @@
           </div>
           <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+				<p class="desc">
+					Enter an email address that wouldn't likely exist into the login form. Analyze the result.<br/><br/>
+					Can you leverage this to gain unauthorized access?
+				</p>	
              </div>
           </div>
         </div>

app/views/layouts/tutorial/csrf/_csrf_first.html.erb

@@ -31,7 +31,7 @@
           <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
             <div class="accordion-inner">
               <p><b>Cross-Site Request Forgery (CSRF) - The following code was taken from: /app/controllers/application_controller.rb and /app/views/layouts/application.html.erb</b></p>
-			  <p>application_controller.rb<<p>
+			  <p>application_controller.rb<p>
 			  <p>
 			     <pre class="ruby">
 				 # Our security guy keep talking about sea-surfing, cool story bro.