On 27 May 2010 17:16, Wordit Ltd <[email protected]> wrote: > - The data does not have to be stored *before* verification because > the data will be sent back when the user clicks the email link, and > the key tells us if it's correct.
The way I see it, storing the new user data on first submission is a relatively easy task, no matter what background storage system is used. As a minimum, each of those will need to store the password hash somewhere, and it's easy to "corrupt" it by combining it with the key (in an identifiable reversible manner, of course). There are at least three benefits from storing the data, as opposed to passing it through the authentication link: 1) Query parameters will get stored into browser histories and other places; we'll be leaking personal information jsut for our own minor convenience 2) Authentication links get significantly longer, which may produce more copy-paste errors, especially if an e-mail client breaks the link to multiple lines 3) There's a secret that is potentially discoverable and would allow bypassing the authentication. Minor risk (salted MD5 hash...) and with little reward, but still... > - This also works for email subscription only sign-ups to newsletters > or Notify, for users without accounts. It should not require a > username and password. For using PmWiki data as a back-end to a newsletter or mailing list, I'd recommend Enemies of Carlotta <http://liw.iki.fi/liw/eoc/index.html>. It's no longer maintained, but the latest version seems stable. The reason I recommend it is that it has very few external requirements, and its back-end is completely flat-file. This means that it's been relatively simple to write a function for $EditFunctions that uses a pagelist to get the e-mail addresses, and writes the changes to the EoC subscriber lists. If someone's interested, I can publish the code, but I figured it's a bit too arcane for general use. I'm also using MHonArc <http://www.mhonarc.org/> to convert the list archives to HTML, and yet more custom code to make that accessible from within PmWiki (including attachments, which TBH I was surprised would work). eemeli _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
