[pmwiki-users] PageList Project

[The Editor]

On 1/28/07, marc <gmane at auxbuss.com> wrote:
> > > (Generate the hash by something like:
> > >    $hash = md5($newemail.$hiddenHash);)
> > >
> > > This method never times out.
> >
> > Thanks for the idea Marc.
>
> It's not my idea :-) This is standard procedure for this kind of update.
> Been going on for millions of years.
>
> > I don't know much about this hash idea, and
> > will read up on it a bit and see what I can come up with.  Though I
> > must admit, I'm not so sure I like the idea of them never timing
> > out...
>
> Why? I know it's an obvious question, but better to ask why you believe
> a time limit is necessary; what purpose does is fulfill?

Well perhaps nt much.  But I do delete these pages after the time
limit so I don't have a bunch of these temp pages filling my wiki.  I
also thought it might be more secure putting a time limit on them,
that they would be less likely to get into the wrong hands--but I
suppose that's not a big issue.

> What you have is the user's email address stored somewhere - PmWiki page
> or database. The user decides to change their email, so you create a
> hash based on the new email and a secret string - something like:
>
>    $hash = md5($newemail.$hidden_hash_var);
>
> - and email it back to their original email address
>
>    $returnlink = "http://www.example.com/Site/ChangeEmailConfirm";
>    $mail->Body = "\nFollow this link to confirm your email change:\n".
>                 "$returnlink?hash=$hash".
>                 "&email=".urlencode($newemail);

Yes this could be done.  It's a good idea.  Either way.  I'll think
about it some more. It would be easy enough to do either with ZAP
though I don't have a built in ZAP command, so that's another slight
advantage to a non-hash approach.  I would also have to dig in and
learn the ins and outs of hashing...

Thanks again, Marc, I am really enjoying learning so much from those
of you with so much more experience.  It's a great school, here at
PmWiki!

Cheers,
Dan