Hi

As I am not happy about having to explain to my 15.000 User the difference between a username an a displayname, I will also have to do some ugly core hacks to deactivate this. So i would be VERY happy if this is made optional. And yes, i am willing to take the risk of a "not higher than before" security. ;)

greetings MK

If an upgrade to a login name plus display name membership system is transparent to existing users, I can't see a problem.

For example, I currently log in as Peekay. Ideally, if Xoops.org upgraded to 2.2, I would expect nothing to change. My posts (in forum, news, comments, etc.) would still displayed as being from Peekay. This is because the upgrade would by default set my display name to the same as my login name.

When I then get a PM from admin saying I now have the option to change my 'display' name to something else - to protect my login name from being seen - I have the choice of doing so, or leaving things as they are.

Seems simple to me. If that's how it was intended to work.

Adrock - that's the answer I was looking for but I don't know how to do this. Can you help me?

Mith wrote: With XOOPS 2.2 RC2, which we'll release tomorrow if all goes well, the Real Name attribute will be used like it is today, i.e. not really - except in some modules where you can toggle between username and real name.

Did all go well & do we get to see this version today?

I have to say I am "Extremely Happy" with the new Security measures making it harder for a hack to figure out both the username and display name.

Security has to be a top priority for any site, just get hacked once and you'll agree. The easiest way I found to notify potential clients about what "DisplayName" meant was to use the FAQ "Registration Requirements" in a block visible to my guest so they could understand the reason for the security and how to fill out the registration properly.

I have yet to have anyone fill out the registration improperly and I have had several comments about the "Nice" security measure making them feel more at ease.

I think the problem I am running into now is the "Select" and "Multi-select" option in the registration field. In version 2.2rc, it allowed only 4 options. In version 2.2rc2, this does not allow ANY option. So you cannot make a drop down "select" for members to select. You can't even get the "Default" fields like ICQ, YIM, ect to creat a "Select" drop down field.

I am hoping this was just a missed item and can be corrected in the stable version.

Quote:

Sory but I disagree!

if somebody can read or write to sql because any reason, can find any user record; there is uid field used many times. It's not hard work to know any user's uid.

If you know uid, you can easyly locate this user's record in the db.

It's realy not necessary to know the user's login name.

My main problem with the system is the seperation of loginname from username. Since the standard is to register with a username and then use that same one to log in, this will confuse my users. Another thing is that the select user form still uses loginname or username to show users rather then the real name. Please switch back to a combo of username (requiered, unique) and real name(not required, not unique).

Another thing I discovered just now is the following: admin can change only displayname and not login name...or at least I'm unable to change it

If I'm not wrong this choice is useless for existing sites and security because an admin (that's the only user that could appreciate this thing in terms of security) can't use this security "improvement".

But probably I'm wrong and there's a way to change my login name otherwise it would be a big big bug in my opinion.

Please tell me how can change my login name because if I change username in Edit account I've no effects.

Still...is it normal that a normal user can't change his Displayname? I think yes but it colud be the same error that dont't let me change my username

Quote:

I'm really not too familiar with the new system, so I could be wrong, but i just wanted to mention this scenario:

New security threat:

Display name spoofing.

lets say Mithrandir (hypothetically) decides to change his display name. He just decides one day he wants to be called something else.

Then, some clever person out there decides to change their display name to Mithrandir... And on top of that, they send mail to different people saying: "Important bug fix! please download the new version of XOOPS here: http://mysite.com/xoops.zip" The user goes and downloads the "patch" only to find there is a trojan horse in the php code.

Some one could also change their name to a previously used name just to get personal information from some one else. For example, even just asking for email addresses, or how the date went last night or whatever.

I said that to say, there is a certain amount of trust that people give names. But, now that trust is no longer there because these names are somewhat interchangeable. You loose the ability to tell who is who with 100% probability. This provides a security hole in which a hacker doesn't really have to do anything clever or technical (unlike before), and you could have a much bigger problem.

Even if you did have a system where you kept track of past display names, so people could not use them anymore, you could run out the namespace quickly if people frequently changed names.

DMarvelus: that's not a new security thret. You could do the same right now if I changed my name and you changed yours (changing mine frees up the old one). The only way to stop this is to make names unique forever, or give admins reserved names.

So th ethreat isn't that big IMHO.

Herko