login username issue

A place to discuss and receive support for the Web Auction application.

login username issue

Postby studio67 » Thu Nov 15, 2007 3:44 pm

I'm new to the forum here - working with the webauction application. I appreciate any guidance that might be available.

I set the site up - no problem. Works great. I imported a few hundred user records (via sql script, if that makes any difference at all), and I'm doing a little testing and I found out that if I have a username that matches the beginning part of another username, it logs me in as the wrong user.!

For instance, if I have these users:
bob
boba
bobb
bobc

I log in with bob, I actually get logged in as boba.

Has anyone else dealt with this, or seen it? Could anyone point me in the right direction to prevent this from happening? I ran a script on my base of login names and found 5 or 6 where this is the case - the full username is the beginning (substring) of another username (or usernames).

Thanks so much
s
studio67
 
Posts: 5
Joined: Thu Nov 15, 2007 3:36 pm

Postby shannah » Thu Nov 15, 2007 4:34 pm

Thanks for posting this. This is a critical issue.

To fix it, you need to make a change to the Dataface/AuthenticationTool.php file. Specifically the getLoggedInUser() method:
Code: Select all
/**
    * Returns reference to a Dataface_Record object of the currently logged in
    * user's record.
    */
   function &getLoggedInUser(){
      $null = null;
      if ( !$this->authEnabled ) return $null;
      if ( isset($this->delegate) and method_exists($this->delegate, 'getLoggedInUser') ){
         $user =&  $this->delegate->getLoggedInUser();
         return $user;
      }
      if ( !$this->isLoggedIn() ) return $null;
      static $user = 0;
      if ( $user === 0 ){
         $user = df_get_record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));
         if ( !$user ){
            $user = new Dataface_Record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));
         }
      }
      return $user;
      
   }


Change it to:
Code: Select all
/**
    * Returns reference to a Dataface_Record object of the currently logged in
    * user's record.
    */
   function &getLoggedInUser(){
      $null = null;
      if ( !$this->authEnabled ) return $null;
      if ( isset($this->delegate) and method_exists($this->delegate, 'getLoggedInUser') ){
         $user =&  $this->delegate->getLoggedInUser();
         return $user;
      }
      if ( !$this->isLoggedIn() ) return $null;
      static $user = 0;
      if ( $user === 0 ){
         $user = df_get_record($this->usersTable, array($this->usernameColumn => '='.$_SESSION['UserName']));
         if ( !$user ){
            $user = new Dataface_Record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));
         }
      }
      return $user;
      
   }


Notice that all we did was change one line:
Code: Select all
$user = df_get_record($this->usersTable, array($this->usernameColumn => '='.$_SESSION['UserName']));


-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

that did it, I believe

Postby studio67 » Thu Nov 15, 2007 7:33 pm

There u go. I think that did the trick. I've only tested one user record so far, but everything worked like a charm.

Thanks very much for the help there.

:)
studio67
 
Posts: 5
Joined: Thu Nov 15, 2007 3:36 pm


Return to Web Auction Discussion

Who is online

Users browsing this forum: No registered users and 30 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved