[pmwiki-users] A robust user registration module

DaveG pmwiki at solidgone.com
Thu May 27 17:27:47 CDT 2010

On 5/26/2010 1:30 AM, Eemeli Aro wrote:
> On 26 May 2010 02:03, DaveG<pmwiki at solidgone.com>  wrote:
>> On 5/25/2010 12:35 AM, V.Krishn wrote:
>>> Somehow I think sha1($email.$username.$password) should be sufficient.
>>> Secondly,
>>> As no user info(including email) is stored on server,
>>> what would be the method to resend new password when lost?
>> You would never resend a password, but would rather reset it. So if the
>> email address is not stored, then basically follow the same process as
>> initial sign up.
>> Note, I'm not suggesting there is no need to store email. Simply
>> highlighting it's not needed for password resets.
> Ummm, how exactly? If the server only keeps the username and password
> hash, how do you verify that the email address a password reset is
> sent to is that user's email address? How do you prevent an account
> being highjacked just by knowing the username?
What I meant to highlight was it's not necessary to use a stored email 
for a password reset -- thus the reset process could be the same as the 
registration process.

As you point out the email/password combo does need to be stored 
somewhere in order to actually authenticate.

  ~ ~ Dave

More information about the pmwiki-users mailing list