Hi, I don't know if this is handled different in the new Jetspeed build but with on my release, when I get a confirmation email the email contains all personal user data, like login, password, and activation key.
This is also included in the URL which is sent to the user. So this URL with all these data is sent thru the internet and can be easily abused by someone else. What can be done easily: Remove the activationkey from the url, because you have to insert it into the input field there's no need to keep it in the url. Recommendation: After the registration process an email is sent to the user which contains only the key and a url. On his browser the insert-confirmation-key page should come up where he can input his received key. If the user doesn't want to wait for the email, he can click on the link in the email later which will route him directly to the insert-confirmation-key page. This page knows that the user is coming from 'outside' just for the confirmation and offers two more fields for the login and the password. What do you think about this? Maybe it has been changed in the current build. Andreas -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
