portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor" <da...@bluesunrise.com>
Subject RE: Confirmation email
Date Fri, 07 Dec 2001 17:28:21 GMT




> -----Original Message-----
> From: ICM S Op Guest 5 [mailto:ICM-S-OP.guest-5@icn.siemens.de]
> Sent: Friday, December 07, 2001 9:14 AM
> To: Jetspeed Users List
> Subject: Confirmation email
>
>
> Hi,
>
> I don't know if this is handled different in the new Jetspeed
> build but with on my release, when I get a confirmation email
> the email contains all personal user data, like login,
> password, and activation key.
>
> This is also included in the URL which is sent to the user.
> So this URL with all these data is sent thru the internet and
> can be easily abused by someone else.
>
> What can be done easily:
> Remove the activationkey from the url, because you have to
> insert it into the input field there's no need to keep it in the url.
>

+1

> Recommendation:
> After the registration process an email is sent to the user
> which contains only the key and a url. On his browser the
> insert-confirmation-key page should come up where he can
> input his received key. If the user doesn't want to wait for
> the email, he can click on the link in the email later which
> will route him directly to the insert-confirmation-key page.
> This page knows that the user is coming from 'outside' just
> for the confirmation and offers two more fields for the login
> and the password.
>
> What do you think about this? Maybe it has been changed in
> the current build.
>

+1

> Andreas
>
> --
> To unsubscribe, e-mail:
<mailto:jetspeed-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:jetspeed-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:jetspeed-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-user-help@jakarta.apache.org>


Mime
View raw message