I'm a little confused as to what your really trying to do, but I think I understand.
You want to do e-mail activation while preventing an intruder from stealing the authentication URL which identifies the target user's e- mail address that was used to authenticated. I hope that makes some sense? The only way to do this is to force the user to authenticate during the duration of a session. When they request that their e-mail address be authenticated you send them an e-mail, with the users ID in the URL, when the user receives the e-mail they follow the URL, and authentication is performed with data in the session, and not a hashed key. I've seen online Banks do things like this. This only works for users who's e-mail will allow the delivery of the e-mail within the duration of a session, and who are given clear instructions that the session must be maintained to complete authentication. Any users who end the session during this process will have to request a new activation e-mail. This solves the problem of the intruder or the user sharing the e-mail. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
