Opened 7 years ago

Closed 5 years ago

#2244 closed defect (bug) (fixed)

Make login error check case-sensitive

Reported by: Spider007 Owned by: anonymous
Priority: normal Milestone: 2.5
Component: Administration Version: 2.0
Severity: normal Keywords:
Cc:

Description

When trying to login as 'Admin' (while that user is named 'admin') WordPress won't allow you to login; but the error generated is 'password invalid' while it should be 'user unknown'. This took me several hours to trace down; a fix is appreciated :)

Attachments (3)

2244.diff (577 bytes) - added by davidhouse 7 years ago.
2244.casesensitive.diff (1.2 KB) - added by DD32 6 years ago.
Case Sensitive logins
2244.caseinsensitive.diff (1.2 KB) - added by DD32 6 years ago.
Case Insensitive logins

Download all attachments as: .zip

Change History (13)

davidhouse7 years ago

comment:1   davidhouse7 years ago

  • Keywords bg|has-ppatch added

comment:2   davidhouse7 years ago

  • Keywords bg|has-patch added; bg|has-ppatch removed

comment:3   skippy7 years ago

why not just str_tolower() the submitted data? Or do we want case-sensitive logins? Should Admin be a different user from admin?

comment:4   abhay7 years ago

I agree with skippy on that. Why should there be a distinction between admin and Admin or skippy and Skippy?

I'd say str_tolower() on the submitted data but for legacy issues, I would also suggest a str_tolower() on the compared string that is in the database.

comment:5   rob1n6 years ago

  • Keywords 2nd-opinion added; login case sensitive error bg|has-patch removed

Which brings up the question... do we want case sensitive logins? Or the other way around (case insensitive logins)?

Open to debate.

comment:6   markjaquith6 years ago

I'd rather not change it at this point.

comment:7   Nazgul6 years ago

  • Milestone set to 2.4

On almost all systems I know the login name is case insensitive and the password is case sensitive.

I'm +1 for making Wordpress act that way as well.

comment:8   DD326 years ago

Personally I think it should be case insensitive usernames, which is how the core WP code currently operates (as the DB layer is case insensitive).
Passwords are still case sensitive as md5's are case sensitive.

I've attached a patch which cleans up the wp_login function, The empty password code was removed as thats handled in the login form anyway.

I'll also attach one which has case sensitive user logins, and displays the correct error.

DD326 years ago

Case Sensitive logins

DD326 years ago

Case Insensitive logins

comment:9   DD326 years ago

  • Keywords has-patch added

comment:10   DD325 years ago

  • Keywords 2nd-opinion has-patch removed
  • Resolution set to fixed
  • Status changed from new to closed

fixed as part of [6350]. See #2394

Note: See TracTickets for help on using tickets.