Web Wiz Support and Community Forums : Registration bug 7.9

Web Wiz Support and Community Forums : Registration bug 7.9 https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Mon, 13 Apr 2026 21:56:54 +0000 Tue, 30 Aug 2005 18:41:12 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=16224 <![CDATA[Web Wiz Support and Community Forums]]> https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ <![CDATA[Registration bug 7.9 : Well, I guess the If/Then MUST...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post89708.html#89708 Author: JJLatWebWiz
Subject: 16224
Posted: 30 August 2005 at 6:41pm

Well, I guess the If/Then MUST stop the table update so here's what I did (and actually tested it this time):

'For extra security create a new user code for the user
If CBool(rsCommon("Active")) then
     strUserCode = userCode(strUsername)

     'Save the new usercode back to the database
     rsCommon.Fields("User_code") = strUserCode
     rsCommon.Update
Else
     strUserCode = rsCommon("User_code")
End If

]]> Tue, 30 Aug 2005 18:41:12 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post89708.html#89708 <![CDATA[Registration bug 7.9 : The only action that takes place...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post89648.html#89648 Author: JJLatWebWiz
Subject: 16224
Posted: 30 August 2005 at 2:06am

The only action that takes place when the user clicks the "Logout" link is to execute the "log_off_user.asp" which simply appends "LOGGED-OFF" to the username and stores it in the cookie under "UID" instead of the UserCode. No change is made to the database.

The usercode is created or changed by the function "UserCode" and except for admin functions, is only used by: 1) register.asp when a user creates their account or makes changes to their activated account, 2) activate.asp to set a new usercode when the user activates their account from the emailed URL, 3) forgotten_password.asp to set a new usercode when the user requests a password change, and 4) in login_user.asp where every time the user authenticates, a new usercode is created which prevents a user from logging on at multiple computers.

The culprit is #4...login_user.asp. The new user code is generated EVEN IF the account is not yet activated but the password is correct. So I was wrong. It appears to be over-anxious users who aren't waiting for their activation email before attempting to log in.

To fix it, open login_user.asp. First, add the "Active" field to the primary query:

strSQL = "SELECT " & strDbTable & "Author.Password, " & strDbTable & "Author.Salt, " & strDbTable & "Author.Username, " & strDbTable & "Author.Author_ID, " & strDbTable & "Author.User_code, " & strDbTable & "Author.Active "

and then add a simple if-then to stop the new user code from being generated if the account is not active:

'For extra security create a new user code for the user
If CBool(rsCommon("Active")) then strUserCode = userCode(strUsername)

This allows a new usercode only if the account is activated. I would also stop the table from updating in the 2 lines immediately below that, but it's most important to stop the new user code from being built.

Since the new usercode IS generated when the user actually does activate, there is little risk in not changing usercodes on login until activation. This login_user.asp usercode change isn't part of 7.01 so that's why I haven't seen it before.

]]> Tue, 30 Aug 2005 02:06:16 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post89648.html#89648 <![CDATA[Registration bug 7.9 : on logg off, the usercode is prefixxed...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post89631.html#89631 Author: dj air
Subject: 16224
Posted: 29 August 2005 at 5:46pm

on logg off, the usercode is prefixxed with

LOGGED-OFF

so yes the chain of events above could be the problem
]]> Mon, 29 Aug 2005 17:46:44 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post89631.html#89631 <![CDATA[Registration bug 7.9 : If the logoff does in fact change...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post89627.html#89627 Author: wistex
Subject: 16224
Posted: 29 August 2005 at 3:08pm

If the logoff does in fact change the user_code (I haven't looked at the 7.9 code yet), then it could cause the problem you are describing if the following sequence of events occur:

User registers for an account.
User is e-mailed a validation e-mail that uses the current user_code to verify.
User clicks the logout button, which changes the user_code.
User clicks on the link in the validation e-mail with the original user_code.

Note: I am not 100% sure that the user_code gets changes when you logout. It might actually be somewhere else in the code. But I do remember that the user_code does get changed periodically for the reason I stated above.

]]> Mon, 29 Aug 2005 15:08:51 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post89627.html#89627 <![CDATA[Registration bug 7.9 : wistex wrote: Doesn't...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post89615.html#89615 Author: JJLatWebWiz
Subject: 16224
Posted: 29 August 2005 at 10:50am

wistex wrote:

Doesn't it get changed when you logout too? I thought the user_code was also used to force a re-login on remote machines you forgot to logout of. I may be thinking of something different, but I remember that was implemented so that you could log yourself out of someone else's machine remotely if you forgot to logoff while you were there. If someone tried to use that computer with you still logged in, it would ask them to login again since the user_code in their cookie no longer matched the one in the database.

That may be true. I wasn't aware of it and I have only just begun looking at anything beyond 7.01, so maybe it's a new feature. But even if that's the case, it doesn't happen during the registration process. So I'm sticking with my theory that it relies on a user either double-clicking the submit button or otherwise clicking it a second time before the screen changes AND while the server is in just the right state to allow a second submission with the same username. I think this also might only happen on a busy site with multiple registrations taking place at the same time. It may also only be an Access problem.

What do you think?

]]> Mon, 29 Aug 2005 10:50:47 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post89615.html#89615 <![CDATA[Registration bug 7.9 : Doesn't it get changed when...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post89561.html#89561 Author: wistex
Subject: 16224
Posted: 28 August 2005 at 1:48pm

]]> Sun, 28 Aug 2005 13:48:21 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post89561.html#89561 <![CDATA[Registration bug 7.9 : Here's my first guess: those...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post89137.html#89137 Author: JJLatWebWiz
Subject: 16224
Posted: 21 August 2005 at 11:49pm

Here's my first guess: those few users are actually double-clicking the Submit button or clicking a second time on the Submit button at just the right moment that causes the "register.asp" to think that the user name isn't yet registered and allows the user_code to be created again for the email. I haven't been able to duplicate the problem to test my guess, but there may be some special condition the server must be in to duplicate the problem. I tested it on SQL, and maybe Access is more susceptable.

After a cursory review of register.asp, during the new user registration process, the user_code is generated just one time to be written into the database and for the activation email. The user_code is rebuilt during an account update, and maybe that's why a double-clicked submit button under certain circumstances causes a second user_code generation. Though it seems like the user would get multiple emails, and at least one of them would have the correct user_code.

Perhaps there should be a javascript to disable the submit button when it is first pressed to prevent a double-click.

]]> Sun, 21 Aug 2005 23:49:33 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post89137.html#89137 <![CDATA[Registration bug 7.9 : Email: User714EFA3436 Da...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post88997.html#88997 Author: psycotik
Subject: 16224
Posted: 19 August 2005 at 7:07am

Email:

User714EFA3436

Database:

UserZ5ZD8E4B96

I have a screenshot of the URL so i'm definate about the code.
]]> Fri, 19 Aug 2005 07:07:25 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post88997.html#88997 <![CDATA[Registration bug 7.9 : Have you seen any of the activation...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post88893.html#88893 Author: JJLatWebWiz
Subject: 16224
Posted: 17 August 2005 at 12:38pm

Have you seen any of the activation emails that have mismatched user_codes? How significant is the difference between the stored user_code and the emailed user_code? Can you provide an example or 2?

The only registration problems I've had are the result of the JMail ISO Subject bug causing registration emails to be blocked as spam.

]]> Wed, 17 Aug 2005 12:38:52 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post88893.html#88893 <![CDATA[Registration bug 7.9 : I dont think that many people...]]> https://forums.webwiz.net/registration-bug-7-9_topic16224_post88877.html#88877 Author: psycotik
Subject: 16224
Posted: 17 August 2005 at 6:23am

I dont think that many people would do that. It seems to happen to quite a large number of members.]]> Wed, 17 Aug 2005 06:23:48 +0000 https://forums.webwiz.net/registration-bug-7-9_topic16224_post88877.html#88877