> > 3- Try to register him again, and it will not work because of the > duplicate email address, > *but if I changed the email address to , jsmithxxx[at]gmail.com * > and left user name *jsmith* - AND enter a new password, not jsmith's > password, it lets me in > to jsmith's original account. >
Yes, but I don't think the new account is overwriting the old account. Rather, upon successful registration, the user is automatically logged in (unless registration requires verification or approval). The login happens by querying for the username and taking the first matching record, which will be the original account. Note, this should only happen at registration. If you logout and then try to log back in, the login should fail because the password for the new account will be compared to that of the old account and won't match. Anyway, this is why usernames have to be unique and you shouldn't overwrite the default validators as you did. Anthony --