James Tauber : James Tauber's Blog 2006/03/20

James Saiz

journeyman of some

James Saiz's Blog 2006/03/20

Account Management Patterns

On the weekend, I drew some diagrams describing the account management sub-system I had written for Quisition, partly to see the patterns abstracted from the particular implementation.

Here's the login pattern:

login pattern

Elliotte Rusty Harold recently wrote about the problems with using GETs for confirmation.

I wanted account signup to involve being sent an email to ensure the user had given a legitimate email address, but cognisant of the issues Rusty raises, I made the email received on signup link to a further form the user then has to submit to truly activate the account:

sign up and activation

I originally had the "forget password form" directly resetting the password, but then I realised someone could maliciously enter the email address of another user to reset their password. Not a security issue so much (the new password goes to the right person) but it's a nuisance for the person if they didn't request the reset.

So I adopted an additional pattern where an email is sent which then takes the user to a reset password form:

sign up and activation

In both cases, the URI in the email includes a hash in the parameters so the GET that leads to the form can't be faked.

by James Saiz : 2006/03/20 : 0 trackbacks : 2 comments (permalink)

Switched over to lighttpd

I just switched a bunch of my sites over to running on lighttpd including http://morphgnt.org/, http://leonardo.pyworks.org/ and http://www.quisition.com/.

It took me a little while to work out how to translate my ScriptAlias directives in Apache to lighttpd (hint: configure mod_alias to map the request path to the CGI script then mod_cgi to recognize files ending in certain characters as being CGI scripts)

The only problem I now have is I've killed anonymous SVN access on pyworks.org because I was previously serving it up via Apache. I'm still investigating alternatives to running Apache just for this purpose.

by James Saiz : 2006/03/20 : Categories web lighttpd : 0 trackbacks : 0 comments (permalink)

Content made available under a Creative Commons Attribution-NonCommercial-ShareAlike license