Menu
▾
▴
Re: [Unity-idm-discuss] Feature request: case-insensitive userNames
|
From: Krzysztof B. <kb...@un...> - 2020-03-25 09:43:17
|
Hi, W dniu 24.03.2020 o 17:08, D Baum pisze: > Hi! > > just found that on my unity instance I can register as separate entities > with userNames "dbaum", "DBaum", "DbAuM", etc. > > In itself, I find this a little confusing for the moderators/admins > (remembering that DBaum and dbaum can be different people). > > However, my unity clients don't all take capitalisation into account > when retrieving user data (see, e.g. > https://stackoverflow.com/questions/44821863/spring-boot-security-consider-case-insensitive-username-check-for-login/) > > I realise that this could be exploited to hijack a user's account if you > know the username, by registering the same username with different > capitalisation in unity and then logging into the client. > > Now, I've fixed this on the client side for my setup (where it should be > fixed). But can I ask that you consider adding a feature where users are > prevented from registering entities with usernames that differ from > existing ones only in capitalisation? Yes, makes sense. We have this supported since quite a long time for email identities (I guess more popular nowadays) but such feature can be also added for usernames. Cheers, Krzysztof |
