login username issue

Archived from the Web Auction Discussion forum.

studio67 — Thu Nov 15, 2007 3:44 pm

I’m new to the forum here - working with the webauction application. I appreciate any guidance that might be available.

I set the site up - no problem. Works great. I imported a few hundred user records (via sql script, if that makes any difference at all), and I’m doing a little testing and I found out that if I have a username that matches the beginning part of another username, it logs me in as the wrong user.!

For instance, if I have these users:

bob

boba

bobb

bobc

I log in with bob, I actually get logged in as boba.

Has anyone else dealt with this, or seen it? Could anyone point me in the right direction to prevent this from happening? I ran a script on my base of login names and found 5 or 6 where this is the case - the full username is the beginning (substring) of another username (or usernames).

Thanks so much

s

---

shannah — Thu Nov 15, 2007 4:34 pm

Thanks for posting this. This is a critical issue.

To fix it, you need to make a change to the Dataface/AuthenticationTool.php file. Specifically the getLoggedInUser() method:

Code: Select all

/**     * Returns reference to a Dataface_Record object of the currently logged in     * user's record.     */    function &getLoggedInUser(){       $null = null;       if ( !$this->authEnabled ) return $null;       if ( isset($this->delegate) and method_exists($this->delegate, 'getLoggedInUser') ){          $user =&  $this->delegate->getLoggedInUser();          return $user;       }       if ( !$this->isLoggedIn() ) return $null;       static $user = 0;       if ( $user === 0 ){          $user = df_get_record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));          if ( !$user ){             $user = new Dataface_Record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));          }       }       return $user;           }

Change it to:

Code: Select all

/**     * Returns reference to a Dataface_Record object of the currently logged in     * user's record.     */    function &getLoggedInUser(){       $null = null;       if ( !$this->authEnabled ) return $null;       if ( isset($this->delegate) and method_exists($this->delegate, 'getLoggedInUser') ){          $user =&  $this->delegate->getLoggedInUser();          return $user;       }       if ( !$this->isLoggedIn() ) return $null;       static $user = 0;       if ( $user === 0 ){          $user = df_get_record($this->usersTable, array($this->usernameColumn => '='.$_SESSION['UserName']));          if ( !$user ){             $user = new Dataface_Record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));          }       }       return $user;           }

Notice that all we did was change one line:

Code: Select all

$user = df_get_record($this->usersTable, array($this->usernameColumn => '='.$_SESSION['UserName']));

-Steve

---

studio67 — Thu Nov 15, 2007 7:33 pm

There u go. I think that did the trick. I’ve only tested one user record so far, but everything worked like a charm.

Thanks very much for the help there.