Schrödinger's User Registration

By Eric Lathrop on

A few months back I was volunteering at Code Louisville and helping George log into a forum. He had signed up a few days ago, but never logged in. When he tried to log in, the forum gave an invalid username or password error. George had unknowingly created a Schrödinger-ed user account.

The Debugging Steps

I asked George to try the "I forgot my password" form, and the forum gave a no such user with this email error. Since the forum told us there was no such user, I asked George to register a new account with his same email address. The forum complained that a user already exists with that email.

A-ha! How can a user simultaneously exist, and not exist, with George's email address? Can you guess the bug?

"When you have eliminated all which is impossible, then whatever remains, however improbable, must be the truth." -Arthur Conan Doyle

The Bug

When George originally signed up for the forum, the forum had sent a "confirm your email address" email. This email went straight to the junk folder, and was never seen. After 24 hours, George's unconfirmed account was deactivated, but not deleted. George's account was created in the database in some sort of disabled state.

The both alive-and-dead state of George's account meant that the forum would not reset the password because the account was not active. It also meant that the forum could not create a new account for George's email address, because it was already a row in the database (i.e. the email address column was probably a primary key, or unique index).

The last thing we tried was to dig out the registration confirmation email, and click on the magic link. Sadly, the link had expired, leaving nothing for George to do other than contact the forum administrators to notify them that he had a Schrödinger-ed account.