[pmwiki-users] A robust user registration module

Wordit Ltd wordituk at googlemail.com
Fri May 21 10:32:35 CDT 2010


On Thu, May 20, 2010 at 5:08 PM, Hans <design5 at softflow.co.uk> wrote:
>
> Is it a safe enough method to sent out a registration code to a new
> user, with a link and url parameters for automatic confirmation?


(Hans this is the thread I was referring to in my post on FoxNotify yesterday).

I had no problems using this method. If you want to be really secure
then just wrap a secret word into a hashed number instead of just a
random key, e.g. sha1($email.$secret).

I don't think hashing or encryption is necessary because all you need
is a unique number e.g. like short urls (youtube, bitly), and the
email address. A spammer or thief would need to guess both the number
and email. If you are still unsure just limit the allowed verification
attempts. It's simple and secure.

I have a sign-up script I wrote in PHP and used it for a site over
several months successfully. It had a few hundred subs, noticed no
problems. It was very simple. 95% of the code was form validation and
retrieving data.

What I did, and this might work for pmwiki, is to use a separate flat
file for the sign-ups. This keeps the real user list clean. On
successful verification, and that is simply comparing the email and
key, you copy the user data to where it's needed.

To unsub go the same way. Write the request to a temp file entry, when
successful, remove both the temp and real DB entries. I included the
current unix time so the sign-ups could also expire. Failed
subs/unsubs don't effect the real DB. All the junk stays in temp
files. You can also control sign-ups by IP logging. I used a PHP
script which writes to flat files, but one could just as well use
pmwikis built-in methods.


So my suggestion is to not mess with the actual wiki data until after
verification. This would also allow a general method of verification.
Cookbook authors can then select where and how they want to write the
verified data. It's really a feature pmwiki needs.

I hope that makes sense. I am willing to help, only my knowledge of
pmwiki coding is minimal. Since I've written such a script before and
used it in a working environment I can help in the design and whatever
code I can provide.


Marcus



More information about the pmwiki-users mailing list