• Resolved mrpep5

    (@mrpep5)


    Hello support team, thank you for the great plugin, it helps us enormously.

    We have the following problem.
    We have 2 sides, side A and B.
    You can register and log in on both sides. However, the user data is only synchronized from page B to A, which is also intentional. Because these are different Communitis.
    If a user already exists on page A with the username @mrbrian and someone registers on page B and uses the username @mrbrian, then the user from page B can log in to page A, although it is are different users. In short, users with the same username on page A and B but different people, the login data are syncronized so that you can log in on both sides.

    How can we solve this so that it doesn’t happen.

    However, the login data are synchronized in both directions. Just creating an account in one direction, namely from B to A

    Thank you for your support

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter mrpep5

    (@mrpep5)

    In this way, side A does not notice that the same username exists on side B and vice versa.

    Plugin Author Alexandre Froger

    (@frogerme)

    Hi,

    When dealing with logins and user synchronization, it is very important to keep in mind that the username is treated as a unique key, and is the single source of truth for all sync operations.

    To prevent a user from being spoofed, the websites would have to actually synchronise the users to ensure uniqueness and have knowledge of the shared user, or a developer would have to use the provided hooks to overload the classes and change the behavior.

    Thread Starter mrpep5

    (@mrpep5)

    Many thanks for your response.
    I almost thought so.
    Unfortunately we don’t have a developer. Is there a way to get this out as an update? Would also contribute to the effort.
    SO that the system checks whether the username already exists and adds a prefix to it or like so?

    Plugin Author Alexandre Froger

    (@frogerme)

    I am not planning to add such feature at this stage.
    There would be several ways to choose which field is treated as the key for a user (see this support question about using email addresses instead), too many different scenarios to implement, and an opinionated choice was made for the plugin, with built-in flexibility should the need to change the behavior arose.

    Hi Alex,

    Truly awesome plug, however doesn’t this limitation represent a major security concern? Might it be prudent to make note of this in the plugin description?

    In particular, given that roles may be synchronized, if an attacker creates an account on site B with the same user_login of an administrator on site A… then… explosions?

    Whilst I appreciate that ‘a choice of identifier must be made’, it can be argued that emails are the only unique identifier in this case, as its possible to verify ownership of an email (2fa), whereas usernames are inherently unverifiable.

    Thoughts?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Same username on different Sites’ is closed to new replies.