#141 ✓resolved
Norbert

Potential problem with uppercase letters in login

Reported by Norbert | July 22nd, 2009 @ 05:57 PM

Hi, I'm the new user to authlogic (and rails) but I'd like to point out one potentially dangerous thing I noticed recently. I'm using authlogic 2.1.1 with rails 2.3.2 and jruby 1.3.1 with default configuration (just calling acts_as_authenticate with no additional configuration options).

When I use registration form (from sample application) with 'Norbert'
(notice the first letter is capital) provided as login I see this sql executed

INSERT INTO accounts (login, email, crypted_password, password_salt, persistence_token, single_access_token, perishable_token, login_count, failed_login_count, last_request_at, current_login_at, last_login_at, current_login_ip, last_login_ip, created_at, updated_at) VALUES('Norbert', 'aaa@aaa.com', '...', '...', '...', '...', '...', 1, 0, '2009-07-22 21:44:43', '2009-07-22 21:44:43', NULL, '127.0.0.1', NULL, '2009-07-22 21:44:43', '2009-07-22 21:44:43')

But when trying to login (again with 'Norbert') I noticed this query:

SELECT * FROM accounts WHERE (LOWER(accounts.login) = 'norbert') LIMIT 1

That means that authlogic uses LOWER function on login field during login process but not during registration process. This leads to potential problem. It is possible to create two accounts 'Norbert' and 'norbert' (even if there's unique constraint in database and validate_uniqueness_of :login enabled) but then when you try to log in into application authlogic will choose randomly (the first provided by database) beetween them (both are seen as lowercase 'norbert') and may check for wrong password (ex. 'Norbert' instead of 'norbert'). I think that authlogic should use LOWER function in a consistent way (enabled everywhere or nowhere).

Best regards,
Norbert

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson July 23rd, 2009 @ 02:36 PM

    • State changed from “new” to “resolved”

    Hi, I disagree. The value in the database should be the raw data, unaltered. If someone wants to put caps in their username they should be able to. Case is irrelevant because you will notice the LOWER function is applied to the database column in the query and it altered on the fly.

    Also the validates_uniqueness_of sets :case_sensitive => false. So it is not possible to have Norbert and norbert in the database if the validates_uniqueness_of call is working properly, which I'm pretty sure it.

    Let me know if you notice anything different. Thanks.

  • Norbert

    Norbert July 23rd, 2009 @ 02:50 PM

    According to API documentation of validates_uniqueness_of a race
    condition resulting in situation described by me before may occur.
    Link to apidoc:
    http://api.rubyonrails.org/classes/ActiveRecord/Validations/ClassMe...
    Or I just don't understand the v_u_of mechanism yet - then sorry for
    the problem.

  • Ben Johnson

    Ben Johnson July 23rd, 2009 @ 03:23 PM

    No problem at all. You are right, but I think that is beyond the scope of authlogic. That really should be implemented at the database level if you are concerned about that. Regardless, if you have usernames / login names I think its a fair assumption to assume you would not want duplicate usernames where the only difference is the case. Authlogic does everything it can to prevent that and then makes logging in case insensitive. That being said, the database level is a level authlogic can't really touch.

  • cpbrhuxww

    cpbrhuxww October 25th, 2018 @ 11:58 PM

    Mostly we found and error in the potential problem while we use uppercase letter in the work. That time you can easily trying to clear your those problems. Because to remove those grabmyessay.com problems is important instead of this you never login easily.

  • Thanos123

    Thanos123 November 16th, 2018 @ 01:17 AM

    Some time we have to need for secure to all data base and web site so get here http://passwordsinmicrosoftedge.com/ and aces the all manage saved passwords in microsoft edge computer i hope you like it thanks.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Pages