[Cosmo-dev] account activation link persistence

[Brian Moseley]

On 11/16/06, Travis Vachon <travis at osafoundation.org> wrote:

> The way we want this to work (I believe) is that when a user signs up
> for an account, they should be sent an e-mail with a link something
> like "http://osaf.us/cosmo/account/activate?id=ag3de98435jsdf45".

i'd rather the uri look like /account/activate/g3de98435jsdf45.
there's no strong reason for it other than aesthetic preference and
symmetry with the rest of our "site map".

> When a user goes to that page, we should look up the id hash and
> activate the account associated with it. To ensure good security, one
> should not be able to calculate the id hash that corresponds to a
> given username.

what happens if that page is requested a second time after the account
was already activated?

> 2. Create a new datastructure specifically for these activation ids.
> This would be a table that mapped activation ids to a usernames and
> expiration dates (or creation dates).

that's what i've been thinking: a table called UserActivation or some
such, with id (synthetic primary key), hash, and creation timestamp,
as well as an "activated" flag on User.

the process of activation would then 1) set the flag on User and 2)
remove the associated UserActivation.

> In either case, I'd also like to keep track of a seed number for the
> activation id that is incremented each time a user signs up to avoid
> activation id collisions. Is there any reason not to use a
> ServerProperty for this?

no, that seems fine.

also, have you thought about adding activation to the admin ui? admins
should be able to manually activate accounts, and when an admin
creates an account himself, he should be able to activate it in the
same step without going through all the rigamarole.