Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#16633 closed enhancement (worksforme)

reauth loop if database contains duplicate values

Reported by: danielpataki Owned by:
Milestone: Priority: normal
Severity: minor Version:
Component: Database Keywords: reporter-feedback
Focuses: Cc:


Hi everyone, i found an interesting problem the other day, perhaps some sort of error message could be implemented here?

If there is a duplicate value on the user_login or user_nicename field in wp_users, Wordpress recognizes the login and password as correct, but does not log the user in, the user is directed to wp_login.php with reauth=1 in the url query.

If the user enters the correct user_login but the incorrect password, and error is given (incorrect password), but if he enters the correct password, no error is given, he is redirected back to the above mentioned location.

This could occur if a programmer decided to use his own registration script and doesn't check for duplicate values, so the blog owner might not be at fault here, and would have no idea what's going on.

If a user tries to log in and has the same user_login/user_nicename as someone else, perhaps an admin could be notified and an error message could be shown?

Change History (4)

#1 @linuxologos
5 years ago

  • Cc linuxologos@… added

#2 @kurtpayne
4 years ago

  • Cc kurtpayne added
  • Keywords reporter-feedback added

How are you creating these duplicate logins? What is the use case?

I tried to recreate this on WP 3.2 and found the following results:

  • The function get_user_by() uses this query "SELECT * FROM $wpdb->users WHERE $field = %s" without an SQL limit
  • Without an SQL limit, the query will match all users who share a duplicate login name or friendly name
  • The first result from the query is taken because the query is passed through $wpdb->get_row() which retrieves exactly one row
  • I duplicated an admin user record in my database, and a subscriber user record, but I was not able to replicate the problem described in the original post.

Can you please try with the latest version and post your results?

#3 @danielpataki
4 years ago

Hi there!

Sorry for the long delay in answering!

The duplicates were created by a faulty test script. I wanted to create 100 users very quickly, and due to an error, some had the same details. I used a raw SQL insert, so WordPress functions were not at fault.

I was using a development version at the time, I will get around to testing this on 3.2 as soon as I can,

#4 @SergeyBiryukov
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Couldn't reproduce on 3.3-trunk either. Feel free to reopen if there's still a problem.

Note: See TracTickets for help on using tickets.