Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
  #1  
Old 11-23-2009, 01:33 PM
anthonym16 anthonym16 is offline
 
Join Date: Feb 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Automatic Account Creation Race Condition

I have a single sign-on script that will automatically create an account for new users visiting my site for the first time.

I found instances in my logs which appear to be race conditions where multiple accounts were created for the same user. The user accounts are identical (same username, email, etc) and only the userids are different.

The guts of my sso script are as follows:

PHP Code:
   // search the VB db for an existing user with the same email
    
$userid $vbulletin->db->query_first_slave("
    SELECT userid, salt
    FROM "
.TABLE_PREFIX."user
    WHERE LOWER(email) = LOWER('"
.mysql_real_escape_string($searchResult[0]['mail'][0])."')");

    if (
$userid)
    {
        if(
$enableLoggingwriteLog($fpSSO"user exists in vb");
        
$newuser->set_existing(fetch_userinfo($userid['userid'], 0));
    
        
// set profile fields
        
$newuser->set('username'$vbulletin->GPC['vb_login_username']);
        
$newuser->set('password'$randomPass);
        
$newuser->set('passworddate''FROM_UNIXTIME('.TIMENOW.')'false);
    }
    else
    {
        if(
$enableLoggingwriteLog($fpSSO"user not found in vb, creating new user");
        
$newuser->set('email'strtolower($searchResult[0]['mail'][0]));
        
$newuser->set('username'$vbulletin->GPC['vb_login_username']);
        
$newuser->set('usergroupid'2);
        
$newuser->set_bitfield('options''adminemail'true);
        
$newuser->set_bitfield('options''emailonpm'true);
        
$newuser->set_bitfield('options''vm_enable'true);
        
$newuser->set('pmpopup'1);
        
$newuser->set_userfields($userFields);
        
$newuser->set('password'$randomPass);
        
$newuser->set('passworddate''FROM_UNIXTIME('.TIMENOW.')'false);
    }

    
$newuser->pre_save();
    if (
$newuser->errors)
    {
        if(
$enableLoggingwriteLog($fpSSO"Error creating/updating user: ".$newuser->errors[0]);
        eval(
standard_error("Error creating/updating user<br/>".$newuser->errors[0]));
        
process_logout();
        return;
    }
    else
    {
        
$newuserid $newuser->save();
        if(
$enableLoggingwriteLog($fpSSO"User account saved successfully: setting cookies and logging in...");

        
// when dealing with a new user, the previous query to get userid and salt returned nothing. rerun query to get new values.
        
if(!isset($userID))
        {
            
$userIDq $vbulletin->db->query_first_slave("
                SELECT userid
                FROM "
.TABLE_PREFIX."user
                WHERE LOWER(email) = LOWER('"
.mysql_real_escape_string($searchResult[0]['mail'][0])."')");
        }
        
        
$vbulletin->userinfo fetch_userinfo($userIDq['userid'], $option$languageid); ;

        
// with spoofed data in place, perform authentication
        
$ssoAuth verify_authentication($vbulletin->GPC['vb_login_username'], $randomPass''''truetrue);
        if(
$enableLoggingwriteLog($fpSSO"verify_authentication returned " $ssoAuth);
        
        
// create session
        
process_new_login(''1'');         
        
        
// redirect
        
exec_header_redirect($_SERVER['REQUEST_URI']);
    } 
For a race condition to occur, the SQL query at the beginning would have to return no results. In that case, separate instances of this script would be racing to create an account for the same user. What are the ramifications of using query_first_slave? Should I be using query_first instead? Any ideas for preventing this problem?

I believe I know where the requests are coming from. We have a Terms of Service button that new users must click, and I have a feeling people are going crazy clicking the button. I am going to add some JavaScript to that button to disable it after it is clicked once. However, I would like to prevent the problem in my sso script as well!

Thanks!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:33 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06117 seconds
  • Memory Usage 2,193KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete