The activation code is a unique token supposed to be used only once. I think it's not that insecure because:
* it's not easy to guess * people (or bots) other than the user that actually signs up would not be able to see it (before the user uses it) * when some bots could see it in the url, it's more likely that the user has already visit that url and the activation code is no longer valid BTW, the web app should account on the user to protect their email from exposing the activation url. On Sep 28, 5:53 am, jdutil <[EMAIL PROTECTED]> wrote: > I havnt really dug into it at all yet so it may be justified for some > reason, but isn't this a large security hole? I intend to fix it > before going public, but am wondering if there is some reason for > this... Once the user signs up their activation code is in the url... > Doesn't that defeat the purpose of sending an activation email to help > prevent spammers/bots etc... While even activation emails aren't that > great of a system to stop bots it still makes it more difficult... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/communityengine?hl=en -~----------~----~----~----~------~----~------~--~---
