I see in wwUserSecurity that lCaseSensitive is marked as "*-- OBSOLETE and no longer used"

I also see in testing that upper or mixed case passwords in the "UserSecurity" table are not working by default, but that 'THIS.Authenticate("ANY")' converts passwords entered on the login form to lower-case when authenticating.

I'm aware that I can subclass wwUserSecurity to customize validation - but I'm hoping I'm overlooking an easy way to use mixed-case passwords.

Am I missing something, or is subclassing the only way to support mixed-case passwords?

The flag is applied to the password hashing only.

It looks to me that the implementation is backwards. lCaseSensitive actually is NOT checking for case. Flipping this the other way will make it case sensitive.

Not sure when or why this was marked obsolete it's obviously in use. I'm hesitant to change this now as this would break code. If anything the change should be lCaseInsensitive and that defaults to .T. which is the current default behavior.

+++ Rick ---

Thanks for the clarification... I'll test.

I think the confusion was introduced when password hashing was added. The original implementation had explicit flags, the hashing routine has it just in one place. It looks like I meant to use lCaseInsensitive rather than lCaseSensitive with the logic that is now in place.

The good news is that if you reverse the flag you should be able to get case sensitive passwords as the has will be generated off the non-lower value.

Main issue is that if passwords were created and hashed one way, they're going to break if they are switched to the other way (if not already all lower case).

+++ Rick ---