[pmwiki-users] A robust user registration module
DaveG
pmwiki at solidgone.com
Thu May 27 17:27:47 CDT 2010
On 5/26/2010 1:30 AM, Eemeli Aro wrote:
> On 26 May 2010 02:03, DaveG<pmwiki at solidgone.com> wrote:
>> On 5/25/2010 12:35 AM, V.Krishn wrote:
>>> Somehow I think sha1($email.$username.$password) should be sufficient.
>>> Secondly,
>>> As no user info(including email) is stored on server,
>>> what would be the method to resend new password when lost?
>>
>> You would never resend a password, but would rather reset it. So if the
>> email address is not stored, then basically follow the same process as
>> initial sign up.
>>
>> Note, I'm not suggesting there is no need to store email. Simply
>> highlighting it's not needed for password resets.
>
> Ummm, how exactly? If the server only keeps the username and password
> hash, how do you verify that the email address a password reset is
> sent to is that user's email address? How do you prevent an account
> being highjacked just by knowing the username?
What I meant to highlight was it's not necessary to use a stored email
for a password reset -- thus the reset process could be the same as the
registration process.
As you point out the email/password combo does need to be stored
somewhere in order to actually authenticate.
~ ~ Dave
More information about the pmwiki-users
mailing list