What does your step 2 entail and how does it guarantee validity? I'm
assuming the SHA-1 is of some string that is not easily guessable. Is
it a SHA-1 of the email or other user data plus some salt? Or some
random string? Does it really matter?
In my case, the SHA-1 token will probably be the user's login or
email. It just needs to be something unique.
@user.password = Digest::SHA1.hexdigest(@user.login)
Similar to MD5, but more secure, SHA-1 is a robust, 160bit
cryptographic hash. This is one-way encryption, but my key will
always produce the same result when it's encrypted (so that's why MD5
and SHA-1 are often used for passwords -- store the hash, not the
password in the db).
So, once I generate the validation token, it's almost certainly
unique and the SHA-1 number space is large enough that it would be
painful for bots to try hacking the validation process.
Of course, ultimately, this won't prevent absolutely all spam
signups, but it should be a good start. I'm leaning towards not using
a CAPTCHA because they're not accessible and increasingly hackable.
Best,
Patrick
_______________________________________________
Sdruby mailing list
[email protected]
http://lists.sdruby.com/mailman/listinfo/sdruby
