Fossil Forum

username change leads to broken password

That's actually correct behavior. Fossil doesn't remember your password, it remembers a hash of that password. Part of the input for that has is the user name, so changing the name invalidates the password.

The user editor should probably warn about that when changing names, but changing them is so rare that we don't trip over this in day-to-day use.

The password has includes the login name and "project code". This is deliberate. It means that if somebody uses the same password on multiple projects, the hash is always different. Or if two people pick the same password, the hashes are still different.

So, yeah, if you change your login name, you have to change your password too. Or, at least, "change" it back to what it was before.

Understood, thank you very much. So it works as designed.

A simple warning should at least be there. And that should be a relatively easy addition within the static HTML.

But imho, that behavior is a bug. Is there any legitimate use case where you want to change the user name and not update the password hash? Doing this breaks further logins, which doesn't sound particularly useful. So, in addition to a static explanation¹, the editor should force the user to re-set the password, if they change the user name. That will completely prevent this from happening again

Is there any legitimate use case where you want to change the user name and not update the password hash?

It happens so rarely, however, I can certainly envision a use where one wants to temporarily disable a username but not require that user to change the password. Then when renamed back to the original correct name, it will just work again without knowing or altering the password.