> > The problem with this is it requires state on the server, which means . . .
I don't think it's necessary to implement this in such a way that additional server state is stored. Instead, you could let the confirmation token be a hash of the internal user state -- including, most importantly, the user password's salt and encrypted values. That way, the valid confirmation token is 1) known only to the server (the User 'password' field is not externalized), 2) able to be computed at any time without being stashed anywhere, 3) constant until the user changes their password, and 4) guaranteed to change whenever the password is actually changed. -- Scott On Fri, Jun 27, 2008 at 8:12 PM, Luke Plant <[EMAIL PROTECTED]> wrote: > > On Friday 27 June 2008 23:06:57 Collin Grady wrote: > > [EMAIL PROTECTED] said the following: > > I'd suggest making the code to change the password a one-use-only > > item though, so that even if someone did sniff the code, it'd be > > useless after that. > > The problem with this is it requires state on the server, which means > extra database models, and on top of that those tables will need cron > jobs to clear them out or something. This is especially a problem > since hostile users can cause creation of rows in those tables - as > many as they like, just by making a web request - though maybe I'm > just being paranoid now. I wanted to keep the dependencies for this > down to the minimum, and you can always replace it with something > better. > > I'm not familiar with James Bennet's registration app, so I can't > comment on that front. > > Luke > > -- > "I have had a perfectly lovely evening. However, this wasn't it." > (Groucho Marx) > > Luke Plant || http://lukeplant.me.uk/ > > > > -- http://scott.andstuff.org/ | http://truthadorned.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
