#141 ✓resolved
Norbert

Potential problem with uppercase letters in login

Reported by Norbert | July 22nd, 2009 @ 05:57 PM

Hi, I'm the new user to authlogic (and rails) but I'd like to point out one potentially dangerous thing I noticed recently. I'm using authlogic 2.1.1 with rails 2.3.2 and jruby 1.3.1 with default configuration (just calling acts_as_authenticate with no additional configuration options).

When I use registration form (from sample application) with 'Norbert'
(notice the first letter is capital) provided as login I see this sql executed

INSERT INTO accounts (login, email, crypted_password, password_salt, persistence_token, single_access_token, perishable_token, login_count, failed_login_count, last_request_at, current_login_at, last_login_at, current_login_ip, last_login_ip, created_at, updated_at) VALUES('Norbert', 'aaa@aaa.com', '...', '...', '...', '...', '...', 1, 0, '2009-07-22 21:44:43', '2009-07-22 21:44:43', NULL, '127.0.0.1', NULL, '2009-07-22 21:44:43', '2009-07-22 21:44:43')

But when trying to login (again with 'Norbert') I noticed this query:

SELECT * FROM accounts WHERE (LOWER(accounts.login) = 'norbert') LIMIT 1

That means that authlogic uses LOWER function on login field during login process but not during registration process. This leads to potential problem. It is possible to create two accounts 'Norbert' and 'norbert' (even if there's unique constraint in database and validate_uniqueness_of :login enabled) but then when you try to log in into application authlogic will choose randomly (the first provided by database) beetween them (both are seen as lowercase 'norbert') and may check for wrong password (ex. 'Norbert' instead of 'norbert'). I think that authlogic should use LOWER function in a consistent way (enabled everywhere or nowhere).

Best regards,
Norbert

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson July 23rd, 2009 @ 02:36 PM

    • State changed from “new” to “resolved”

    Hi, I disagree. The value in the database should be the raw data, unaltered. If someone wants to put caps in their username they should be able to. Case is irrelevant because you will notice the LOWER function is applied to the database column in the query and it altered on the fly.

    Also the validates_uniqueness_of sets :case_sensitive => false. So it is not possible to have Norbert and norbert in the database if the validates_uniqueness_of call is working properly, which I'm pretty sure it.

    Let me know if you notice anything different. Thanks.

  • Norbert

    Norbert July 23rd, 2009 @ 02:50 PM

    According to API documentation of validates_uniqueness_of a race
    condition resulting in situation described by me before may occur.
    Link to apidoc:
    http://api.rubyonrails.org/classes/ActiveRecord/Validations/ClassMe...
    Or I just don't understand the v_u_of mechanism yet - then sorry for
    the problem.

  • Ben Johnson

    Ben Johnson July 23rd, 2009 @ 03:23 PM

    No problem at all. You are right, but I think that is beyond the scope of authlogic. That really should be implemented at the database level if you are concerned about that. Regardless, if you have usernames / login names I think its a fair assumption to assume you would not want duplicate usernames where the only difference is the case. Authlogic does everything it can to prevent that and then makes logging in case insensitive. That being said, the database level is a level authlogic can't really touch.

  • cpbrhuxww

    cpbrhuxww October 25th, 2018 @ 11:58 PM

    Mostly we found and error in the potential problem while we use uppercase letter in the work. That time you can easily trying to clear your those problems. Because to remove those grabmyessay.com problems is important instead of this you never login easily.

  • Archie349

    Archie349 December 25th, 2018 @ 06:18 AM

    If you delete a upper case letter the shift key is activated and you'll print an upper case letter. After deleting the upper case letter make sure the shift key isn't solid black mybkexperience.

  • lifetime

    lifetime March 2nd, 2019 @ 07:03 AM

    I want you to thank for your time of this wonderful read!!! I definately enjoy every little bit of it and I have you bookmarked to check out new stuff of your blog a must read blog! tech blogs

  • lifetime

    lifetime March 2nd, 2019 @ 08:41 AM

    This is really a nice and informative, containing all information and also has a great impact on the new technology. Thanks for sharing it, The Bonding Stages

  • lifetime

    lifetime March 2nd, 2019 @ 08:48 AM

    I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page! The Bonding Stages

  • lifetime

    lifetime March 7th, 2019 @ 01:03 AM

    Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming. Zonnepanelen

  • lifetime

    lifetime March 7th, 2019 @ 01:07 AM

    A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one. SEO

  • lifetime

    lifetime March 7th, 2019 @ 01:40 AM

    A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one. SEO webdesign

  • lifetime

    lifetime March 7th, 2019 @ 01:43 AM

    When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. Airco

  • lifetime

    lifetime March 7th, 2019 @ 02:01 AM

    New site is solid. A debt of gratitude is in order for the colossal exertion. Betaalbare website

  • lifetime

    lifetime March 7th, 2019 @ 02:04 AM

    Your music is amazing. You have some very talented artists. I wish you the best of success. Professionele website

  • lifetime

    lifetime March 7th, 2019 @ 02:08 AM

    Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work! Polypropyleen zwembad

  • lifetime

    lifetime March 7th, 2019 @ 02:11 AM

    You completed a number of nice points there. I did a search on the issue and found nearly all people will have the same opinion with your blog. Webdesigner website

  • lifetime

    lifetime March 7th, 2019 @ 02:17 AM

    The web site is lovingly serviced and saved as much as date. So it should be, thanks for sharing this with us. Airconditioning

  • lifetime

    lifetime March 7th, 2019 @ 02:20 AM

    Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this post. Betaalbare webdesigner

  • lifetime

    lifetime March 7th, 2019 @ 02:23 AM

    I have recently started a blog, the info you provide on this site has helped me greatly. Thanks for all of your time & work Professionele webdesigner

  • lifetime

    lifetime March 7th, 2019 @ 02:32 AM

    Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming. Webshop

  • lifetime

    lifetime March 7th, 2019 @ 02:32 AM

    A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one. Kinderkledij

  • lifetime

    lifetime March 18th, 2019 @ 05:50 AM

    I am a new user of this site so here i saw multiple articles and posts posted by this site,I curious more interest in some of them hope you will give more information on this topics in your next articles. università telematica

  • lifetime

    lifetime March 18th, 2019 @ 06:20 AM

    I was taking a gander at some of your posts on this site and I consider this site is truly informational! Keep setting up.. profumi creed aventus

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Pages