RT Ticket #334: username case (in)sensitivity #13

Closed
phinjensen opened this Issue Mar 12, 2013 · 2 comments

Comments

Projects
None yet
2 participants
@phinjensen

Created: Tue Dec 15 19:34:48 2009
Requestors: Gert van der Spoel


From mailinglist ...

On 12/12/09 17:17, Paul Jordan wrote:

It appears that as standard ships, a customer login is not case
sensitive. However, in order to access their order history (detail
page), there is a username comparison to validate the user, it's on
query/order_detail.html. The comparison IS case sensitive, so for
example, if someone logs in as LAdams, instead of ladams, or
something more likely - to issue a return as u01234, instead of
U01234, they'll be met with an user violation error when wanting to
see the detail of their past orders.

This is actually coming from the DB itself. MySQL comparisons are
case-insensitive whereas PostgreSQL are case-sensistive, so you will
find that if you are running PostgreSQL the login will actually be
case sensistive. I think that we should fix the issue to be
consistent across dbs and also fix the behavior to be consistent in IC
itself. So we need to answer the following questions:

  1. To make the behavior consistent across DBs should we adopt the
    MySQL case-insensitive behavior or the PostgreSQL case-sensitive behavior?
  2. Should we fix this in the record_exists() db method or elsewhere?
    What about other db functions?
  3. Alternatively we can fetch the username with correct case from the
    DB during login and replace the passed username with that.

It is my opinion that in the case of usernames, everything should be case insensitive. I mean no system is really going to deal with it's customers and say, are you LAdams, or ladams, or ladaMs. Passwords will get a boost from case sensitivity, but not usernames, that would just be confusing.

I'm all for eventually making all uses of username in perl modules lowercase first. Although #3 seems just fine to me.

Paul

@phinjensen

This comment has been minimized.

Show comment Hide comment
@phinjensen

phinjensen Mar 12, 2013

Date: Wed Dec 16 01:10:48 2009
Author: Peter Ajamian


On 16/12/09 08:34, Gert van der Spoel via RT wrote:

It is my opinion that in the case of usernames, everything should be
case insensitive. I mean no system is really going to deal with it's
customers and say, are you LAdams, or ladams, or ladaMs. Passwords will
get a boost from case sensitivity, but not usernames, that would just be
confusing.

I'm all for eventually making all uses of username in perl modules
lowercase first. Although #3 seems just fine to me.

I think that (1) it should be a userdb option and (2) it should not rely
on the screwy behavior of one particular db to implement one way or the
other.

Also I think that we should maybe change the way that the various $db
methods work so that we know that they will be either case-sensitive or
case-insensitive (I vote for the former), though that may be breaking bc
I think it's worth it to get rid of differences that we see from
different DBs. One way is to use the BINARY function in mysql, another
way is to change certain column defenitions to VARCHAR BINARY in order
to force data in that column to be case sensitive.

Peter

Date: Wed Dec 16 01:10:48 2009
Author: Peter Ajamian


On 16/12/09 08:34, Gert van der Spoel via RT wrote:

It is my opinion that in the case of usernames, everything should be
case insensitive. I mean no system is really going to deal with it's
customers and say, are you LAdams, or ladams, or ladaMs. Passwords will
get a boost from case sensitivity, but not usernames, that would just be
confusing.

I'm all for eventually making all uses of username in perl modules
lowercase first. Although #3 seems just fine to me.

I think that (1) it should be a userdb option and (2) it should not rely
on the screwy behavior of one particular db to implement one way or the
other.

Also I think that we should maybe change the way that the various $db
methods work so that we know that they will be either case-sensitive or
case-insensitive (I vote for the former), though that may be breaking bc
I think it's worth it to get rid of differences that we see from
different DBs. One way is to use the BINARY function in mysql, another
way is to change certain column defenitions to VARCHAR BINARY in order
to force data in that column to be case sensitive.

Peter

@jdigory

This comment has been minimized.

Show comment Hide comment
@jdigory

jdigory Jul 21, 2016

Contributor

Closing, this is supported in Strap via:
UserDB default ignore_case 1

Contributor

jdigory commented Jul 21, 2016

Closing, this is supported in Strap via:
UserDB default ignore_case 1

@jdigory jdigory closed this Jul 21, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment