Hello Aaron - At 9:18 -0800 01/1/17, Aaron Nabil wrote: >On Wed, 17 Jan 2001, Aaron Nabil wrote: >> Is this code in Handler.pm doing the most reasonable thing? The way it >> works now, if you have a rewrite username that lowercases, people can >> log in muliple times with username, Username, USERNAME, etc. > >Looks like you can't win either way. > >If you don't use OriginalUserName, session online checks will fail (the >ones that rely on names instead of session ID's) since they need to match >what the NAS supplied. > >I just took a peek on one of my TC chassis, I have a user logged in as >"Firstname Lastname " (except with lots more spaces at the >end) and my two rewrite rules manage to coerce that to his real login of >firstnamelastname on our system! With our rewriting you could simply >add a space to your login and create a unique session. :( > This is why I always recommend that you reject usernames containing "illegal" characters immediately - just say "No"...... regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
