Login name (not password) hash collision?

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
9/23/2013 11:55:23 AM
lilleyt
Gravatar
Total Posts 21
View Posts

Login name (not password) hash collision?

System Information

mojoPortal Version2.3.7.5 MSSQL
Operating SystemMicrosoft Windows NT 5.2.3790 Service Pack 2
ASP.NET Infov4.0.30319 Running in Full Trust

Ran into a very strange issue today.

User contacted me and said they couldn't register on my mojoPortal site.  Registration was taking a long time and eventually timing out.

I created a dummy account as a test and had no issue.

Checked the server and when the user pressed the registration button, sql server maxed cpu and continued until the connection timed out.

Ran a profiler to see the query.  Sql was in a loop of running a login name lookup, alternating with an exec sp_reset_connection.

The query for the login name lookup was this:

exec mp_Users_SelectByLoginName @SiteID=1,@LoginName=N'administrator1234567891011121314151617181920212223'
go

I ran the query myself, and it came up with an account with that login name already in the database.  The email address shared "administrator" as the user portion of the email, but the domain was unrelated.

I requested that the user attempt a different username to avoid this apparent collision.  Have not yet heard back the result of that.

I'm conjecturing that mojoPortal is using some counting to create non-conflicting usernames when the name portion of the email is the same.  However, this is not working, as it seems to have run out of numbers.  The numbers after the username above are simply counting from 1 to 23.  Does this mean you can only have 23 users in your system that share an address name?  That's a problem for our userbase.

I'm going to need a workaround if that's the case.

Thanks,

Ted

9/23/2013 12:34:39 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Login name (not password) hash collision?

Yes, mojoPortal tries to avoid any duplicate login names even if using email for login because you could always change that at any time.

By default users choose their own login name and the registration page will tell them if the one they chose is already in use.

The only case where we auto generate one is if you have added the config setting AutoGenerateAndHideUserNamesWhenUsingEmailForLogin as true.

In that case we take the part of the email before the @ sign and try to use it but if it exists we do keep appending 1 until it is not a duplicate in SiteUtils.SuggestLoginNameFromEmail

public static string SuggestLoginNameFromEmail(int siteId, string email)
        {
            string login = email.Substring(0, email.IndexOf("@"));
            int offset = 1;
            while (SiteUser.LoginExistsInDB(siteId, login))
            {
                login = login + offset.ToInvariantString();
                offset += 1;
            }

            return login;
        }

I guess this logic is not perfect and if the same one keeps coming up then eventually it outgrows the allowed size for the loginname field.

I did not anticipate there being that many duplicates from the part of a unique email address before the @ sign. In order to have this problem you must have lots of users with the email address administrator@someuniquedomain 

I just changed the logic like this:

public static string SuggestLoginNameFromEmail(int siteId, string email)
        {
            string login = email.Substring(0, email.IndexOf("@"));
            int offset = 1;
            while (SiteUser.LoginExistsInDB(siteId, login))
            {
                offset += 1;
                login = email.Substring(0, email.IndexOf("@")) + offset.ToInvariantString();
                
            }

            return login;
        }

which should take much longer to run out of unique variants

This change is in the source code repository now.

Only workarounds I can think of are to update to a build of the latest code, or update existing rows to change/remove "administrator" portion of the data to avoid future collisions until the next release of mojoPortal. 

Hope that helps,

Joe

9/23/2013 1:47:31 PM
lilleyt
Gravatar
Total Posts 21
View Posts

Re: Login name (not password) hash collision?

Thanks for the speedy response.  That sounds great.  I've taken your advice and modified the existing records to strip the administrator portion of the string off.

I'll look out for the next build and upgrade to that.

One super minor suggestion might be to use a rand function to append a number of a given length instead of walking up from "1".  That will give better performance in the long run as you'll have a good chance of success on the first try rather than an increasing number of failures every time you try.

As it happens, we are the use case that wasn't foreseen.  We get people registering that email address prefix all the time.  In fact, I hesitate to think how many people tried to register and may have just given up.

We sell products to IT service providers.  Usually they are registering an institutional email address which will survive them after they no longer service the customer.  Hence we get a lot of "administrator@" email addresses.

We did indeed turn on the autogenerate feature because we ask for a lot of custom profile info and autogenerating the login name was one way to simplify an otherwise complicated form.  We're planning on leaving it that way.

Cheers.

 

You must sign in to post in the forums. This thread is closed to new posts.