Web Wiz - Green Windows Web Hosting - Celebrating 25 Years!
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Registration bug 7.9
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Registration bug 7.9
 Post Reply Post Reply Page  <12
Author
  Topic Search Topic Search  Topic Options Topic Options
wistex View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 30 August 2003
Location: United States
Status: Offline
Points: 877 		Post Options Post Options   Thanks (0) Thanks(0)   Quote wistex Quote  Post ReplyReply Direct Link To This Post Posted: 29 August 2005 at 3:08pm
If the logoff does in fact change the user_code (I haven't looked at the 7.9 code yet), then it could cause the problem you are describing if the following sequence of events occur:
  1. User registers for an account.
  2. User is e-mailed a validation e-mail that uses the current user_code to verify.
  3. User clicks the logout button, which changes the user_code.
  4. User clicks on the link in the validation e-mail with the original user_code.

Note: I am not 100% sure that the user_code gets changes when you logout.  It might actually be somewhere else in the code.  But I do remember that the user_code does get changed periodically for the reason I stated above.
WisTex Solutions
CaribbeanChoice Forums
Back to Top
dj air View Drop Down
Senior Member
Senior Member
Avatar

Joined: 05 April 2002
Location: United Kingdom
Status: Offline
Points: 3627 		Post Options Post Options   Thanks (0) Thanks(0)   Quote dj air Quote  Post ReplyReply Direct Link To This Post Posted: 29 August 2005 at 5:46pm
on logg off, the usercode is prefixxed with

LOGGED-OFF

so yes the chain of events above could be the problem
Back to Top
JJLatWebWiz View Drop Down
Groupie
Groupie
Avatar

Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136 		Post Options Post Options   Thanks (0) Thanks(0)   Quote JJLatWebWiz Quote  Post ReplyReply Direct Link To This Post Posted: 30 August 2005 at 2:06am
The only action that takes place when the user clicks the "Logout" link is to execute the "log_off_user.asp" which simply appends "LOGGED-OFF" to the username and stores it in the cookie under "UID" instead of the UserCode.  No change is made to the database.
 
The usercode is created or changed by the function "UserCode" and except for admin functions, is only used by: 1) register.asp when a user creates their account or makes changes to their activated account, 2) activate.asp to set a new usercode when the user activates their account from the emailed URL, 3) forgotten_password.asp to set a new usercode when the user requests a password change, and 4) in login_user.asp where every time the user authenticates, a new usercode is created which prevents a user from logging on at multiple computers.
 
The culprit is #4...login_user.asp.  The new user code is generated EVEN IF the account is not yet activated but the password is correct.  So I was wrong.  It appears to be over-anxious users who aren't waiting for their activation email before attempting to log in.
 
To fix it, open login_user.asp.  First, add the "Active" field to the primary query:
 
strSQL = "SELECT " & strDbTable & "Author.Password, " & strDbTable & "Author.Salt, " & strDbTable & "Author.Username, " & strDbTable & "Author.Author_ID, " & strDbTable & "Author.User_code, " & strDbTable & "Author.Active "
 
and then add a simple if-then to stop the new user code from being generated if the account is not active:
 
'For extra security create a new user code for the user
If CBool(rsCommon("Active")) then strUserCode = userCode(strUsername)
 
This allows a new usercode only if the account is activated.  I would also stop the table from updating in the 2 lines immediately below that, but it's most important to stop the new user code from being built.
 
Since the new usercode IS generated when the user actually does activate, there is little risk in not changing usercodes on login until activation.  This login_user.asp usercode change isn't part of 7.01 so that's why I haven't seen it before.
Back to Top
JJLatWebWiz View Drop Down
Groupie
Groupie
Avatar

Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136 		Post Options Post Options   Thanks (0) Thanks(0)   Quote JJLatWebWiz Quote  Post ReplyReply Direct Link To This Post Posted: 30 August 2005 at 6:41pm
Well, I guess the If/Then MUST stop the table update so here's what I did (and actually tested it this time):
 
'For extra security create a new user code for the user
If CBool(rsCommon("Active")) then
     strUserCode = userCode(strUsername)
   
     'Save the new usercode back to the database
     rsCommon.Fields("User_code") = strUserCode
     rsCommon.Update
Else
     strUserCode = rsCommon("User_code")
End If
 
Back to Top
 Post Reply Post Reply Page  <12

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.