[pmwiki-users] A robust user registration module

Eemeli Aro eemeli at gmail.com
Wed May 26 00:30:49 CDT 2010


On 26 May 2010 02:03, DaveG <pmwiki at solidgone.com> wrote:
> On 5/25/2010 12:35 AM, V.Krishn wrote:
>> Somehow I think sha1($email.$username.$password) should be sufficient.
>> Secondly,
>> As no user info(including email) is stored on server,
>> what would be the method to resend new password when lost?
>
> You would never resend a password, but would rather reset it. So if the
> email address is not stored, then basically follow the same process as
> initial sign up.
>
> Note, I'm not suggesting there is no need to store email. Simply
> highlighting it's not needed for password resets.

Ummm, how exactly? If the server only keeps the username and password
hash, how do you verify that the email address a password reset is
sent to is that user's email address? How do you prevent an account
being highjacked just by knowing the username?

eemeli



More information about the pmwiki-users mailing list