James Tauber : Account Management Patterns

James Saiz

journeyman of some

Account Management Patterns

On the weekend, I drew some diagrams describing the account management sub-system I had written for Quisition, partly to see the patterns abstracted from the particular implementation.

Here's the login pattern:

login pattern

Elliotte Rusty Harold recently wrote about the problems with using GETs for confirmation.

I wanted account signup to involve being sent an email to ensure the user had given a legitimate email address, but cognisant of the issues Rusty raises, I made the email received on signup link to a further form the user then has to submit to truly activate the account:

sign up and activation

I originally had the "forget password form" directly resetting the password, but then I realised someone could maliciously enter the email address of another user to reset their password. Not a security issue so much (the new password goes to the right person) but it's a nuisance for the person if they didn't request the reset.

So I adopted an additional pattern where an email is sent which then takes the user to a reset password form:

sign up and activation

In both cases, the URI in the email includes a hash in the parameters so the GET that leads to the form can't be faked.

Trackbacks (0)

Comments (2)

anjan bacchu on Tuesday 21 March, 2006:

hi james,

how(which tool) did you create these nice diagrams ?

thank you,

BR,
~A

James Saiz on Tuesday 21 March, 2006:

Anjan, I used OmniGraffle Professional 4, an amazing diagramming app for OS X.

Add a Comment

What is 7+2?
Name
URI
Comment
Comments are text only.
The math question is to ensure you are a human!
This page last modified Monday 20 March, 2006 by James Saiz
Content made available under a Creative Commons Attribution-NonCommercial-ShareAlike license