Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...User Unregister/Delete then Reregister Same Username Saves Old ProfileUser Unregister/Delete then Reregister Same Username Saves Old Profile
Previous
 
Next
New Post
5/11/2010 1:52 PM
 
Chris120590

Joined: 11/17/2009
Posts: 16
I have learned that when a user unregisters or is deleted and then an account with the same username is created the first users profile information is inserted into the new user.  This is a big security risk because the same account name cannot be used twice otherwise the first users information will be displayed for the new user.  I am using DotNetNuke 5.4 stable.  Is this right and it has just been over looked or is my configuration wrong?
 
New Post
5/12/2010 3:39 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846
the deletion of an account since either 5.1.x or 5.2.x have been soft deletes where the information is just hidden from display, therefore, this process is somewhat expected.

I do agree with you though that depending on the profile information of a site, this could be a "risk".

I would log this at support.dotnetnuke.com
-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
5/12/2010 11:56 PM
 
Chris120590

Joined: 11/17/2009
Posts: 16
I am ready to deploy a website I made with DNN but this issue seems risky to me. I understand holding the information for data integrity purposes but I believe the e-mail for the new user should be checked to match the e-mail for the old user just to be sure nobody else will have access to that username. That means anybody could look through lets say a forum try different usernames that may have been deleted and register with their own e-mail and have control of an account linked to the previous user's information. I am reluctant to deploy my website till this is addressed.
 
New Post
5/13/2010 12:11 AM
 
Chris120590

Joined: 11/17/2009
Posts: 16
Ok, well it turns out when I delete the user from the admin menu user accounts module it does not change the user Isdeleted flag from 0 to 1. When I change it to 1 from the database the username cannot be used again. This makes sense. However, I do not want to have to go to the database to changed the values everytime. Shouldn't the value change automatically when the user is deleted by the administrator from the website?
 
New Post
5/13/2010 11:20 AM
 
Chris120590

Joined: 11/17/2009
Posts: 16
Nevermind, the previous post did some more checking today after getting some sleep adn I must have not deleted the user that is why it was saying username already in use. On the other hand this is still a serious problem. No matter if all the IsDeleted flags are marked as true, a user can be created with the same name and the old information is subject to the new user. There needs to be some cross-checking of the IsDeleted flag. During registration if a username is trying to be created and that username already exists but the UsersPortal IsDeleted flag is marked as true, then that username should not be allowed to be created. Is anybody on board with what I am saying? It would not be a problem, if the information of the old user of that username was displayed for the new user. But, there cannot be duplicate usernames, so the only solution is that the new user cannot use a deleted users username. What can we do about this? I am not that good at writing code and interpreting it yet, but I believe this needs to be addressed because as of now it is unsafe to unregister or delete any users. I cannot believe this has not been addressed, user membership is like the holy grail of a website and without secure information, what is the point?
 
 Page 1 of 3
123Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...User Unregister/Delete then Reregister Same Username Saves Old ProfileUser Unregister/Delete then Reregister Same Username Saves Old Profile


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out