Make WordPress Core

Opened 10 years ago

Closed 8 years ago

#2244 closed defect (bug) (fixed)

Make login error check case-sensitive

Reported by: Spider007 Owned by:
Milestone: 2.5 Priority: normal
Severity: normal Version: 2.0
Component: Administration Keywords:
Focuses: Cc:


When trying to login as 'Admin' (while that user is named 'admin') WordPress won't allow you to login; but the error generated is 'password invalid' while it should be 'user unknown'. This took me several hours to trace down; a fix is appreciated :)

Attachments (3)

2244.diff (577 bytes) - added by davidhouse 10 years ago.
2244.casesensitive.diff (1.2 KB) - added by DD32 8 years ago.
Case Sensitive logins
2244.caseinsensitive.diff (1.2 KB) - added by DD32 8 years ago.
Case Insensitive logins

Download all attachments as: .zip

Change History (13)

10 years ago

#1 @davidhouse
10 years ago

  • Keywords bg|has-ppatch added

#2 @davidhouse
10 years ago

  • Keywords bg|has-patch added; bg|has-ppatch removed

#3 @skippy
10 years ago

why not just str_tolower() the submitted data? Or do we want case-sensitive logins? Should Admin be a different user from admin?

#4 @abhay
10 years ago

I agree with skippy on that. Why should there be a distinction between admin and Admin or skippy and Skippy?

I'd say str_tolower() on the submitted data but for legacy issues, I would also suggest a str_tolower() on the compared string that is in the database.

#5 @rob1n
9 years ago

  • Keywords 2nd-opinion added; login case sensitive error bg|has-patch removed

Which brings up the question... do we want case sensitive logins? Or the other way around (case insensitive logins)?

Open to debate.

#6 @markjaquith
9 years ago

I'd rather not change it at this point.

#7 @Nazgul
9 years ago

  • Milestone set to 2.4

On almost all systems I know the login name is case insensitive and the password is case sensitive.

I'm +1 for making Wordpress act that way as well.

#8 @DD32
8 years ago

Personally I think it should be case insensitive usernames, which is how the core WP code currently operates (as the DB layer is case insensitive).
Passwords are still case sensitive as md5's are case sensitive.

I've attached a patch which cleans up the wp_login function, The empty password code was removed as thats handled in the login form anyway.

I'll also attach one which has case sensitive user logins, and displays the correct error.

8 years ago

Case Sensitive logins

8 years ago

Case Insensitive logins

#9 @DD32
8 years ago

  • Keywords has-patch added

#10 @DD32
8 years ago

  • Keywords 2nd-opinion has-patch removed
  • Resolution set to fixed
  • Status changed from new to closed

fixed as part of [6350]. See #2394

Note: See TracTickets for help on using tickets.