#141 ✓resolved

Potential problem with uppercase letters in login

Reported by Norbert | July 22nd, 2009 @ 05:57 PM

Hi, I'm the new user to authlogic (and rails) but I'd like to point out one potentially dangerous thing I noticed recently. I'm using authlogic 2.1.1 with rails 2.3.2 and jruby 1.3.1 with default configuration (just calling acts_as_authenticate with no additional configuration options).

When I use registration form (from sample application) with 'Norbert'
(notice the first letter is capital) provided as login I see this sql executed

INSERT INTO accounts (login, email, crypted_password, password_salt, persistence_token, single_access_token, perishable_token, login_count, failed_login_count, last_request_at, current_login_at, last_login_at, current_login_ip, last_login_ip, created_at, updated_at) VALUES('Norbert', 'aaa@aaa.com', '...', '...', '...', '...', '...', 1, 0, '2009-07-22 21:44:43', '2009-07-22 21:44:43', NULL, '', NULL, '2009-07-22 21:44:43', '2009-07-22 21:44:43')

But when trying to login (again with 'Norbert') I noticed this query:

SELECT * FROM accounts WHERE (LOWER(accounts.login) = 'norbert') LIMIT 1

That means that authlogic uses LOWER function on login field during login process but not during registration process. This leads to potential problem. It is possible to create two accounts 'Norbert' and 'norbert' (even if there's unique constraint in database and validate_uniqueness_of :login enabled) but then when you try to log in into application authlogic will choose randomly (the first provided by database) beetween them (both are seen as lowercase 'norbert') and may check for wrong password (ex. 'Norbert' instead of 'norbert'). I think that authlogic should use LOWER function in a consistent way (enabled everywhere or nowhere).

Best regards,

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson July 23rd, 2009 @ 02:36 PM

    • State changed from “new” to “resolved”

    Hi, I disagree. The value in the database should be the raw data, unaltered. If someone wants to put caps in their username they should be able to. Case is irrelevant because you will notice the LOWER function is applied to the database column in the query and it altered on the fly.

    Also the validates_uniqueness_of sets :case_sensitive => false. So it is not possible to have Norbert and norbert in the database if the validates_uniqueness_of call is working properly, which I'm pretty sure it.

    Let me know if you notice anything different. Thanks.

  • Ben Johnson

    Ben Johnson July 23rd, 2009 @ 03:23 PM

    No problem at all. You are right, but I think that is beyond the scope of authlogic. That really should be implemented at the database level if you are concerned about that. Regardless, if you have usernames / login names I think its a fair assumption to assume you would not want duplicate usernames where the only difference is the case. Authlogic does everything it can to prevent that and then makes logging in case insensitive. That being said, the database level is a level authlogic can't really touch.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket