[ic] Multizip and Multistate do not require

Rick Bragg lists at gmnet.net
Sat Jan 9 22:25:10 UTC 2010


On Fri, 2010-01-08 at 09:46 -0800, Paul Jordan wrote:
> >> As standard ships, the Common Profile has among other things:
> >>
> >>     state=multistate
> >>     zip=multizip
> >>
> >> I should mention that I do have MV_STATE_REQUIRED and MV_ZIP_REQUIRED
> >> set
> >> properly. With this, I was under the impression a zipcode and state
> >> would be
> >> required.
> >>
> >> If the customer is not from the US or Canada, they can get through the
> >> checkout without having a state or zipcode. I noticed this because I
> >> was
> >> getting autocreate failures with sporadic German customers that were
> >> including their postal code  prefixed on the City, and leaving the
> >> postal
> >> code blank.
> >>
> >> Anyway, to work as expected, one would really need this:
> >>
> >>     state=multistate
> >>     &and
> >>     state=required
> >>     zip=multizip
> >>     &and
> >>     zip=required
> >>
> >> I'm submitting this to make sure this was the intended behavior, or is
> >> there
> >> in fact a bug.
> >>
> >> Just to be clear, as Standard ships, auto-creates can fail.
> >
> > Hi Paul,
> >
> > A patch was made by Mike to prevent the autocreation from failing, see:
> > http://github.com/interchange/interchange/commit/7a238b464b153673b2233dafcb4
> > e914e1ba5d1f8
> >
> > This has been backported to 5.6.2 stable branch and is part of the current
> > 5.6.2 download:
> > http://ftp.icdevgroup.org/interchange/5.6/tar/interchange-5.6.2.tar.gz
> >
> > Only if you'd do an order desk entry you'd still run into the problem
> > mentioned from the looks of it as there the password generation is still
> > based on just the zipcode.
> 
> Gert
> 
> Thank you.
> 
> However I noticed it is no longer using the zip for the password. Was this 
> also done for some security reason?
> 
> I ask because part of our RMA system has an option if they have no account - 
> they sign in with their order number and zipcode. This looks up their 
> username (UXXXX) and uses the zip for the password - which if I switch to 
> randomized password, I'll have to rework this. Most non-account customers 
> won't know their random password.
> 
> If there is a security risk by using zipcode then I'll make the change, 
> otherwise it can wait.
> 
> Paul

I personally think it's a bad idea to use the zip as a password in any
case.  Stores that are popular in a local area especially.  (or a
website for a city!)  In fact, I don't even like passing the password
back to the user over email, but it really depends on the site...  The
big problem comes in if you are using "gift certs" or any other form of
"credit"...  I modified my site so that if there is a gift cert in the
cart, they would have to go through a hard-core account setup in order
to use purchase that.  Then they can only retrieve the code by secure
login.  Sorry to get a bit off topic...

rick









More information about the interchange-users mailing list