I understand that is how it is supposed to work, but when you sign up and are sitting on the page talking about the email you can see the activation code in the url. That defeats the purpose of the email being the only thing containing the code. A bot could just snag the url parse out the code and then hit the proper url for the activate action. I don't think the code should be shown in the url after signing up. When I get around to making the change since I added it to my list if you guys agree with me I can submit the change to be added into subversion.
On Sep 28, 5:12 am, Fritzek <[EMAIL PROTECTED]> wrote: > this activation code is just sent by email and valid once. to have > more security use the recaptcha at sign up plus the activation code > > On 27 Sep., 23:53, jdutil <[EMAIL PROTECTED]> wrote: > > > I havnt really dug into it at all yet so it may be justified for some > > reason, but isn't this a large security hole? I intend to fix it > > before going public, but am wondering if there is some reason for > > this... Once the user signs up their activation code is in the url... > > Doesn't that defeat the purpose of sending an activation email to help > > prevent spammers/bots etc... While even activation emails aren't that > > great of a system to stop bots it still makes it more difficult... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/communityengine?hl=en -~----------~----~----~----~------~----~------~--~---
