This must be a bug - and potentially a serious one.

I've just installed v2.3.2 and created an admin user when I installed, then I created a second admin user and now, regardless of which email and password I use to log in with I'm always logged in as the new (2nd) user.

What's going on? I've cleared session cookies and even switched browser but still only ever log on as the last created user (2 of 2 in this case)!

Need someone to offer an explanation otherwise I'll have to stick with 2.3.1

Cheers,

Rich

Sicp,

We have the same version (2.3.2) installed on our server. I see your problem. I have tried to create multiple admin on SilverStripe version 2.3.2. I am able to log in with all the admin separately. So It’s working absolutely fine as it should be at my end even in version 2.3.2.

When I have tried to create a new admin but with a same email id which I have used for another admin, I lost the control of my previous admin and now I am only able to log in with new admin password. This is because if someone will try to create a account with existing email id old user record will get overwritten.

I suppose you would have done the same thing therefore your previous record has been overwritten due to same email id. Please check and confirm if it is not like the way I said we will troubleshoot more in this.

Hi Thanks for the reply.

Definitely created both users with different email addresses, the "first" admin was the one created at install and I specified a full email address and new password to replace the default "admin" & "password" combo. I was able to log in fine with that account and then created a 2nd admin account using the security tab in the CMS.

I clicked "logout" at the bottom of the CMS and I was going to log in as the new admin to check it, at this point I can't remember if I did this or not but when I logged in as the 1st admin I saw the message at the bottom said "logged in as bill", bill being the firstname of the 2nd admin account. I clicked "profile" next to this and sure enough, I was logged in as bill.

I am going to install another CMS on a dev box and test this again and will also try creating a 3rd admin account to see what happens. Whatever happens this is alarming as (for me at least) the first most important security feature of any system is non-repudiation and the fact that this can happen on any level is worrying.

I'll get back later with results of testing.

Cheers,

Rich

Hi,

What I see happening (v2.3.2) is this: when I try to add a new member that has the same e-mailaddress as an existing member, SilverStripe will see this as an update. So no new member will be created, instead the new data will be used to (silently!) update the account of the existing member.

Now when there's a long list of members Silverstripe might just silently update some existing account without me realising what happened, resulting in some unfortunate member losing their account details (name, password!!!)

For me - I'd rather have Silverstripe warn me that an account with this address already exists, just like it does when I try to alter an existing account by changing the e-mailaddress to one that already exists. And could we not have accounts for two persons that have the same email-address?

Could we maybe even have an option to use an (extra) username field to login on? Has anyone been doing something like this?

Yeah, I noticed similar behaviour with the ecommerce module. If you're logged in and use a different email for the order it changes your email address for your current login without warning. What you are seeing should be easy to detect with a "email already exists" check - can't think of a good reason why this wouldn't be done.

I added a 3rd admin account called test and when I log in as the 1st admin account I am authenticated as test - this is without even logging in as test. There must be something wrong in the database, I was unable to recreate this on a dev server so hopefully this goes away but it still leaves me with an uneasy felling about the security of the SS authentication process.

Cheers,

Rich

Hi martimiz,

I see what you mean. You have brought a very good point here. But, I am impressed with this user friendly grid interface for user list, add update and delete. The silent update is even a very beautiful concept. I would not say it silent feature as if you have seen when I we try to enter an email address it suggest me the existing record with same email id so its an indicator that something with this email is exist. I also do agree with your thoughts to improve this little bit to make it more user friendly.

I would not suggest to allow multiple account with same email address as any notification and other updates or promotion sent via email will create conflict. You must also be agree that now days we have many accounts on different sites so memorizing username for all the different sites is not something which is acceptable. So login with email id will minimize a little bit extra efforts for user experience.

Thanks for your thoughts it will surly help other silverstripe lovers.

Keep writing!

Hi Sicp,

I have done the same thing which you did, I have created three accounts with different email address and password. Luckily I am not facing the issue which you are facing. I am smoothly able to login with those three different accounts, even at the bottom I am having correct display name. I suppose your silverstripe installation must have some ghost [ Just kidding :-) ]. Anyways, can you upload it somewhere on live server and let me send the link so that I can verify the issue and can think of the fix.

Will look forward to hear from you.

There's some discussion about this "silent update" feature in http://open.silverstripe.com/ticket/1434 and http://open.silverstripe.com/ticket/3932