Signed-off-by: Russ Whitehead <william.whitehead@lexisnexisrisk.com>

esp/bindings/http/platform/httpbinding.cpp

@@ -769,6 +769,7 @@ bool EspHttpBinding::basicAuth(IEspContext* ctx)
         case AS_ACCOUNT_LOCKED :
             err.append("Account locked");
             break;
+        case AS_INVALID_CREDENTIALS :
         default:
             err.append("Access Denied: User or password invalid");
         }

esp/bindings/http/platform/httpservice.cpp

@@ -1055,6 +1055,7 @@ EspAuthState CEspHttpServer::preCheckAuth(EspAuthRequest& authReq)
                 clearCookie(authReq.authBinding->querySessionIDCookieName());
                 clearCookie(SESSION_ID_TEMP_COOKIE);
                 clearCookie(SESSION_TIMEOUT_COOKIE);
+                clearCookie(USER_ACCT_ERROR_COOKIE);
             }
             else
                 clearSessionCookies(authReq);
@@ -1191,10 +1192,11 @@ void CEspHttpServer::verifyCookie(EspAuthRequest& authReq, CESPCookieVerificatio
         verifyESPAuthenticatedCookie(authReq, cookie);
     else if (strieq(name, USER_NAME_COOKIE))
         verifyESPUserNameCookie(authReq, cookie);
-    else if (strieq(name, SESSION_TIMEOUT_COOKIE) || strieq(name, SESSION_AUTH_MSG_COOKIE))
+    else if (strieq(name, SESSION_TIMEOUT_COOKIE) || strieq(name, SESSION_AUTH_MSG_COOKIE) || strieq(name, USER_ACCT_ERROR_COOKIE))
     {
         //SESSION_TIMEOUT_COOKIE: used to pass timeout settings to a client.
         //SESSION_AUTH_MSG_COOKIE: used to pass authentication message to a client.
+        //USER_ACCT_ERROR_COOKIE: used to pass user account status to a client.
         //A client should clean it as soon as received. ESP always returns invalid if it is asked.
         cookie.verificationDetails.set("ESP cannot verify this cookie. It is one-time use only.");
     }
@@ -2051,12 +2053,15 @@ EspAuthState CEspHttpServer::handleAuthFailed(bool sessionAuth, EspAuthRequest&
             break;
         case AS_ACCOUNT_DISABLED :
             ESPLOG(LogMin, "Account disabled for %s", authReq.ctx->queryUserId());
+            addCookie(USER_ACCT_ERROR_COOKIE, "Account Disabled", 0, false);
             break;
         case AS_ACCOUNT_EXPIRED :
             ESPLOG(LogMin, "Account expired for %s", authReq.ctx->queryUserId());
+            addCookie(USER_ACCT_ERROR_COOKIE, "Account Expired", 0, false);
             break;
         case AS_ACCOUNT_LOCKED :
             ESPLOG(LogMin, "Account locked for %s", authReq.ctx->queryUserId());
+            addCookie(USER_ACCT_ERROR_COOKIE, "Account Locked", 0, false);
             break;
         }
     }
@@ -2227,6 +2232,7 @@ void CEspHttpServer::clearSessionCookies(EspAuthRequest& authReq)
     clearCookie(SESSION_AUTH_OK_COOKIE);
     clearCookie(SESSION_AUTH_MSG_COOKIE);
     clearCookie(SESSION_TIMEOUT_COOKIE);
+    clearCookie(USER_ACCT_ERROR_COOKIE);
 }
 
 void CEspHttpServer::clearCookie(const char* cookieName)

esp/platform/espcontext.hpp

@@ -43,6 +43,7 @@ static const char* const SESSION_TIMEOUT_COOKIE = "ESPSessionTimeoutSeconds";
 static const char* const SESSION_ID_TEMP_COOKIE = "ESPAuthIDTemp";
 static const char* const SESSION_AUTH_OK_COOKIE = "ESPAuthenticated";
 static const char* const SESSION_AUTH_MSG_COOKIE = "ESPAuthenticationMSG";
+static const char* const USER_ACCT_ERROR_COOKIE = "ESPUserAcctError";
 static const char* const DEFAULT_LOGIN_URL = "/esp/files/Login.html";
 static const char* const DEFAULT_LOGIN_LOGO_URL = "/esp/files/eclwatch/img/Loginlogo.png";
 static const char* const DEFAULT_GET_USER_NAME_URL = "/esp/files/GetUserName.html";