Bug: random generator isn't random enough and can get duplicates

  • jondaley

    (@jondaley)


    10 years, 2 months ago

    Hi,

    I ran into an interesting problem today:

    1. User#1 registered a long time ago, and verified the account.
    2. User#2 registered 7 days ago, never verified.
    3. Grace period expired, and account for user#2 was erased.
    4. User#2 clicks on the verify link.
    5. User#1 sees messages that says “thank you for registering User#1”
    6. User#2 goes away confused.

    I checked the tables, and I see that pie-register does not erase the verify code after it is used. I think if you just added a delete_user_meta($user_id, ’email_verify’); that would fix the problem. Actually, I see that line is commented out (line 2011 of pie-register.php). Why was it commented out? That would greatly reduce the likelihood of collisions.

    If you need to keep the email_verify in the table forever, you should make the code hashed on the person’s email address and whatever random stuff you want to use – it might be a good idea to use the random KEY/SALTs from wp-config.php (I assume wordpress has an API for getting that stuff) so then hackers can’t figure out the random hash, which they might be able to do currently, since RanPass is only based on time, which is publicly available, though you are using microtime, so that might mitigate it, though I’d guess it isn’t unbreakable.

    I’m also not sure what the casting the microtime() to a double – maybe that removes the number of seconds from the result? Probably using the example from the manual: explode(" ", microtime()) would be a better choice.

    Anyway – the only really pressing issue is that the usermeta table is full of email_verify (and actually lots of email_* stuff – looks like the code changed at some point, because I have 80211 users, and only 40838 email_verify_email and email_verify_user_pwd entries and 235 email_verify_date and email_verify_user entries, and 2699 email_verified_user and 2933 email_verify entries.

    Seems like most of that could be erased, right? Is there any reason to keep it around?

    https://wordpress.org/plugins/pie-register/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter jondaley

    (@jondaley)

    10 years ago

    Here’s an update on the numbers. I don’t understand what these values are being used for:
    Users on site: 87199
    email_verify_email: 45929
    email_verify_user_pwd: 45929
    email_verified_user: 7892
    email_verify: 7892
    email_verify_date: 0

    I’ve uncommented the delete_user_meta(email_verify) line, and things seem to be working better.

    Plugin Contributor genetech

    (@genetech)

    10 years ago

    Hello Jondaley,

    We are no longer suporting Version 1, so we would recommend you to upgrade over version 2.0, This version has a lot of changes in to the Structure, UI and database as well.

    The newer version can import all your previously set Custom Fields, but it is recommended that you first install it on a Test Enviornment before upgrading on production sites.

    Please use our contact support form for any queiries you may have,.

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Bug: random generator isn't random enough and can get duplicates’ is closed to new replies.