[pmwiki-users] A robust user registration module

Eemeli Aro eemeli at gmail.com
Fri May 28 05:35:18 CDT 2010


On 27 May 2010 17:16, Wordit Ltd <wordituk at googlemail.com> wrote:
> - The data does not have to be stored *before* verification because
> the data will be sent back when the user clicks the email link, and
> the key tells us if it's correct.

The way I see it, storing the new user data on first submission is a
relatively easy task, no matter what background storage system is
used. As a minimum, each of those will need to store the password hash
somewhere, and it's easy to "corrupt" it by combining it with the key
(in an identifiable reversible manner, of course).

There are at least three benefits from storing the data, as opposed to
passing it through the authentication link:

1) Query parameters will get stored into browser histories and other
places; we'll be leaking personal information jsut for our own minor
convenience

2) Authentication links get significantly longer, which may produce
more copy-paste errors, especially if an e-mail client breaks the link
to multiple lines

3) There's a secret that is potentially discoverable and would allow
bypassing the authentication. Minor risk (salted MD5 hash...) and with
little reward, but still...

> - This also works for email subscription only sign-ups to newsletters
> or Notify, for users without accounts. It should not require a
> username and password.

For using PmWiki data as a back-end to a newsletter or mailing list,
I'd recommend Enemies of Carlotta
<http://liw.iki.fi/liw/eoc/index.html>. It's no longer maintained, but
the latest version seems stable. The reason I recommend it is that it
has very few external requirements, and its back-end is completely
flat-file. This means that it's been relatively simple to write a
function for $EditFunctions that uses a pagelist to get the e-mail
addresses, and writes the changes to the EoC subscriber lists.

If someone's interested, I can publish the code, but I figured it's a
bit too arcane for general use. I'm also using MHonArc
<http://www.mhonarc.org/> to convert the list archives to HTML, and
yet more custom code to make that accessible from within PmWiki
(including attachments, which TBH I was surprised would work).

eemeli



More information about the pmwiki-users mailing list