Case insensitive usernames
|Reported by:||mdawaffe||Owned by:||Denis-de-Bernardy|
|Severity:||normal||Keywords:||has-patch tested commit|
We currently store usernames case insensitively (the default collations for MySQL are case insensitive).
When we check to see if a username already exists, we do so case insensitively (for the same reason).
When users log in, we require them to input there username case sensitively (there is an artificial, case sensitive check during login to ensure the supplied user name is the same as the username stored in the DB).
Why the inconsistency? Why not let users type in their usernames case insensitively?
- Frontend consistency with backend. All aspects of username case (in)sensitivity would be controlled by the collation on the user_login column of the users table.
- Fewer users who forget their usernames.
- Easier for "the bad guys" to fish for usernames. The party line seems to be that it's easy to do that anyway, though.
- Removes artificial, case sensitive check.
- The other way to remove inconsistency would be to be case sensitive everywhere. We could alter the user_login column to varbinary or do user_login SELECTs with the BINARY operator. There may be problems with that idea, though, coming from differences is charsets between different operating systems (or even browsers?). Especially if you move your DB from one host to another.
- Keep as is. WP 2.3.1 incorrectly reports "incorrect password" after a login attempt with a incorrectly cased username. WP trunk reports the correct error: "incorrect username", so at least we're now giving the user the correct feedback.
Change History (14)
- Component changed from General to Users
- Owner anonymous deleted
- Keywords tested commit added
- Milestone changed from 2.9 to 2.8
- Owner set to Denis-de-Bernardy
- Status changed from new to accepted