Chapter 1

notnac · September 5th, 2009, 11:38 PM

I've been trying to adapt the login script(s) in chapter 1 and just when I thought it was working, I realized that I could successfully log in regardless of whether or not I had verified the registration.

My understanding is that upon successful registration, the "isActive" field is set to "inactive" with a value of 0. Then, if verified, either by link or email link, the value of "isActive" is set to a value of 1.

The login.php script seems to allow a user to successfully login regardless of whether they have verified their registration or not. It doesn't appear to check that the user has verified their registration and thus, has an active status, in order to successfully log in. I don't think this is correct. Any thoughts?

kenj · September 24th, 2009, 03:30 PM

This is a very interesting find notnac.

I also notice that I can login with an
inactive user.

Here's a change that I tried and it works.

In login.php, around line 21, add a check for $user->isActive

The original line

Code:

      if ($user->userId && $user->password == sha1($_POST['password']))

Change it to

Code:

  if ($user->userId && $user->password == sha1($_POST['password']) && $user->isActive)

Also change the comment on line 32

Code:

    // invalid user and/or password and/or user not active