Registration bug 7.9
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=16224
Printed Date: 13 April 2026 at 9:54pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Registration bug 7.9
Posted By: psycotik
Subject: Registration bug 7.9
Date Posted: 16 August 2005 at 6:36am
|
I've got a forum of 2000+ users. Quite often they are saying their activation doesnt work. What i've traced it down to is the User_code in tblAuthor is different in the email they get sent and in their corresponding record in the database, so the activation is failing. Its not all of the users, maybe 5% or so that it's happening to. I did a quick search and couldnt find anything. Is this an addressed issue in one of the releases? Because my forum is mod'd i'd prefer to just fix that exact issue than re-doing all the files. |
Replies:
Posted By: dpyers
Date Posted: 16 August 2005 at 11:12am
|
If they request re-activation, does it work then? I think that there was a problem when people would sign up, and then get their activation email and click on the activation link without closing the original sign up browser session. ------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: psycotik
Date Posted: 17 August 2005 at 6:23am
| I dont think that many people would do that. It seems to happen to quite a large number of members. |
Posted By: JJLatWebWiz
Date Posted: 17 August 2005 at 12:38pm
|
Have you seen any of the activation emails that have mismatched user_codes? How significant is the difference between the stored user_code and the emailed user_code? Can you provide an example or 2?
The only registration problems I've had are the result of the JMail ISO Subject bug causing registration emails to be blocked as spam.
|
Posted By: psycotik
Date Posted: 19 August 2005 at 7:07am
|
Email: User714EFA3436 Database: UserZ5ZD8E4B96 I have a screenshot of the URL so i'm definate about the code. |
Posted By: JJLatWebWiz
Date Posted: 21 August 2005 at 11:49pm
|
Here's my first guess: those few users are actually double-clicking the Submit button or clicking a second time on the Submit button at just the right moment that causes the "register.asp" to think that the user name isn't yet registered and allows the user_code to be created again for the email. I haven't been able to duplicate the problem to test my guess, but there may be some special condition the server must be in to duplicate the problem. I tested it on SQL, and maybe Access is more susceptable. After a cursory review of register.asp, during the new user registration process, the user_code is generated just one time to be written into the database and for the activation email. The user_code is rebuilt during an account update, and maybe that's why a double-clicked submit button under certain circumstances causes a second user_code generation. Though it seems like the user would get multiple emails, and at least one of them would have the correct user_code.
Perhaps there should be a javascript to disable the submit button when it is first pressed to prevent a double-click.
|
Posted By: wistex
Date Posted: 28 August 2005 at 1:48pm
|
Doesn't it get changed when you logout too? I thought the user_code was also used to force a re-login on remote machines you forgot to logout of. I may be thinking of something different, but I remember that was implemented so that you could log yourself out of someone else's machine remotely if you forgot to logoff while you were there. If someone tried to use that computer with you still logged in, it would ask them to login again since the user_code in their cookie no longer matched the one in the database. ------------- http://www.wistex.com" rel="nofollow - WisTex Solutions http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums |
Posted By: JJLatWebWiz
Date Posted: 29 August 2005 at 10:50am
That may be true. I wasn't aware of it and I have only just begun looking at anything beyond 7.01, so maybe it's a new feature. But even if that's the case, it doesn't happen during the registration process. So I'm sticking with my theory that it relies on a user either double-clicking the submit button or otherwise clicking it a second time before the screen changes AND while the server is in just the right state to allow a second submission with the same username. I think this also might only happen on a busy site with multiple registrations taking place at the same time. It may also only be an Access problem.
What do you think?
|
wistex wrote:Posted By: wistex
Date Posted: 29 August 2005 at 3:08pm
If the logoff does in fact change the user_code (I haven't looked at the 7.9 code yet), then it could cause the problem you are describing if the following sequence of events occur:
Note: I am not 100% sure that the user_code gets changes when you logout. It might actually be somewhere else in the code. But I do remember that the user_code does get changed periodically for the reason I stated above. ------------- http://www.wistex.com" rel="nofollow - WisTex Solutions http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums |
Posted By: dj air
Date Posted: 29 August 2005 at 5:46pm
|
on logg off, the usercode is prefixxed with LOGGED-OFF so yes the chain of events above could be the problem |
Posted By: JJLatWebWiz
Date Posted: 30 August 2005 at 2:06am
|
The only action that takes place when the user clicks the "Logout" link is to execute the "log_off_user.asp" which simply appends "LOGGED-OFF" to the username and stores it in the cookie under "UID" instead of the UserCode. No change is made to the database.
The usercode is created or changed by the function "UserCode" and except for admin functions, is only used by: 1) register.asp when a user creates their account or makes changes to their activated account, 2) activate.asp to set a new usercode when the user activates their account from the emailed URL, 3) forgotten_password.asp to set a new usercode when the user requests a password change, and 4) in login_user.asp where every time the user authenticates, a new usercode is created which prevents a user from logging on at multiple computers.
The culprit is #4...login_user.asp. The new user code is generated EVEN IF the account is not yet activated but the password is correct. So I was wrong. It appears to be over-anxious users who aren't waiting for their activation email before attempting to log in.
To fix it, open login_user.asp. First, add the "Active" field to the primary query:
strSQL = "SELECT " & strDbTable & "Author.Password, " & strDbTable & "Author.Salt, " & strDbTable & "Author.Username, " & strDbTable & "Author.Author_ID, " & strDbTable & "Author.User_code, " & strDbTable & "Author.Active "
and then add a simple if-then to stop the new user code from being generated if the account is not active:
'For extra security create a new user code for the user
If CBool(rsCommon("Active")) then strUserCode = userCode(strUsername) This allows a new usercode only if the account is activated. I would also stop the table from updating in the 2 lines immediately below that, but it's most important to stop the new user code from being built.
Since the new usercode IS generated when the user actually does activate, there is little risk in not changing usercodes on login until activation. This login_user.asp usercode change isn't part of 7.01 so that's why I haven't seen it before.
|
Posted By: JJLatWebWiz
Date Posted: 30 August 2005 at 6:41pm
|
Well, I guess the If/Then MUST stop the table update so here's what I did (and actually tested it this time):
'For extra security create a new user code for the user
If CBool(rsCommon("Active")) then strUserCode = userCode(strUsername) 'Save the new usercode back to the database rsCommon.Fields("User_code") = strUserCode rsCommon.Update Else strUserCode = rsCommon("User_code") End If |