portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ICM S Op Guest 5 <ICM-S-OP.gues...@icn.siemens.de>
Subject Confirmation email
Date Fri, 07 Dec 2001 17:14:03 GMT
Hi,

I don't know if this is handled different in the new Jetspeed build but with on my release,
when I get a confirmation email the email contains all personal user data, like login, password,
and activation key.

This is also included in the URL which is sent to the user. So this URL with all these data
is sent thru the internet and can be easily abused by someone else.

What can be done easily:
Remove the activationkey from the url, because you have to insert it into the input field
there's no need to keep it in the url.

Recommendation:
After the registration process an email is sent to the user which contains only the key and
a url. On his browser the insert-confirmation-key page should come up where he can input his
received key. If the user doesn't want to wait for the email, he can click on the link in
the email later which will route him directly to the insert-confirmation-key page. This page
knows that the user is coming from 'outside' just for the confirmation and offers two more
fields for the login and the password.

What do you think about this? Maybe it has been changed in the current build.

Andreas

--
To unsubscribe, e-mail:   <mailto:jetspeed-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-user-help@jakarta.apache.org>


Mime
View raw message