WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#5472 closed enhancement (fixed)

Case insensitive usernames

Reported by: mdawaffe Owned by: Denis-de-Bernardy
Milestone: 2.8 Priority: normal
Severity: normal Version: 2.5
Component: Users Keywords: has-patch tested commit
Focuses: Cc:

Description

We currently store usernames case insensitively (the default collations for MySQL are case insensitive).

When we check to see if a username already exists, we do so case insensitively (for the same reason).

When users log in, we require them to input there username case sensitively (there is an artificial, case sensitive check during login to ensure the supplied user name is the same as the username stored in the DB).

Why the inconsistency? Why not let users type in their usernames case insensitively?

Pros:

  1. Frontend consistency with backend. All aspects of username case (in)sensitivity would be controlled by the collation on the user_login column of the users table.
  2. Fewer users who forget their usernames.

Cons:

  1. Easier for "the bad guys" to fish for usernames. The party line seems to be that it's easy to do that anyway, though.

Attached:

  1. Removes artificial, case sensitive check.

Other Options:

  1. The other way to remove inconsistency would be to be case sensitive everywhere. We could alter the user_login column to varbinary or do user_login SELECTs with the BINARY operator. There may be problems with that idea, though, coming from differences is charsets between different operating systems (or even browsers?). Especially if you move your DB from one host to another.
  2. Keep as is. WP 2.3.1 incorrectly reports "incorrect password" after a login attempt with a incorrectly cased username. WP trunk reports the correct error: "incorrect username", so at least we're now giving the user the correct feedback.

Opinions?

Attachments (2)

5472.diff (416 bytes) - added by mdawaffe 6 years ago.
5472.2.diff (562 bytes) - added by Denis-de-Bernardy 5 years ago.

Download all attachments as: .zip

Change History (14)

mdawaffe6 years ago

comment:1 Viper007Bond6 years ago

  • Version set to 2.4

+1 to this patch. Minor, if no, security loss while making it easier for users to login.

comment:2 DD326 years ago

See also #2244, However that was simply to change the error message.

+1 to consistancy though, dd32 and DD32 are the same user, Theres no reason different capitalisation should prevent me logging in.

comment:3 follow-up: matt6 years ago

My tables all seem to default to utf8_general_ci, which appears to still reject non-matching-case logins even with this patch.

comment:4 in reply to: ↑ 3 DD326 years ago

Replying to matt:

My tables all seem to default to utf8_general_ci, which appears to still reject non-matching-case logins even with this patch.

Cannot reproduce on Trunk w/ utf8_general_ci tables. After applying the patch, logging in with 'dd32' logged me in as 'DD32'

comment:5 Denis-de-Bernardy5 years ago

  • Component changed from General to Users
  • Owner anonymous deleted

confirmed in 11256. cannot create an Admin user when admin exists, and cannot log in as Admin in place of admin.

comment:6 Denis-de-Bernardy5 years ago

nailed this down to MySQL:

mysql> select 'Admin' = 'admin';
+-------------------+
| 'Admin' = 'admin' |
+-------------------+
|                 1 | 
+-------------------+
1 row in set (0.00 sec)

comment:7 Denis-de-Bernardy5 years ago

then tracked this down to wp_authenticate_username_password(). It finds the "correct" user due to the above issue in MySQL, but ends up rejecting it because php considered the above to be false.

mdawaffe's patch (refreshed accordingly) fixes things indeed.

Denis-de-Bernardy5 years ago

comment:8 Denis-de-Bernardy5 years ago

  • Keywords tested commit added
  • Milestone changed from 2.9 to 2.8

comment:9 Denis-de-Bernardy5 years ago

possibly related bug: #5918

comment:10 Denis-de-Bernardy5 years ago

  • Owner set to Denis-de-Bernardy
  • Status changed from new to accepted

comment:11 peaceablewhale5 years ago

I am able to login with "AdMIn" after applying 5472.2.diff.

comment:12 ryan5 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed
Note: See TracTickets for help on using tickets.