[ic] Blank Username -- Occurred Again

Ron Phipps rphipps@reliant-solutions.com
Wed, 21 Mar 2001 21:27:52 -0800

On one of our live sites we had a blank username created, this happened
after we used the ORDER DESK for the first time.  We require that all of our
customers login before checking out.  So I assume (although I haven't
verified) that a person comes along, sees the login screen and just hits
login OR worse yet the login screen doesn't show up because the site thinks
the person is logged in do to the empty username.  Once the user logs on
they are able to see the information for the last person that placed an
order and they must clear out the fields with their own information to
proceed.  This is a security risk because a person's personal information
can be viewed.  Can we have a fix put into IC to force that a username not
be an empty string?  I'm going to test my theory but I believe the blank
username was created during the ORDER DESK entry because each order after
that one was messed up in some way due to the blank username.  I'll be
reinstalling our test environment to see if we can recreate this situation
again.  Thanks.