Logged in: Logged in as: Log in
Register
Locations of visitors to this page SourceForge.net
free download
install guides
free wiki hosting
enterprise support
.
support
partners
Search:
Page last modified 23:36, 6 Jun 2007 by RoyK
Permalink: http://tinyurl.com/6n32f9
MindTouch Developer Center > MindTouch Deki > Specs > User Registration

User Registration

Table of contents
  1. 1. Problem
  2. 2. Solution
  3. 3. Terminology
  4. 4. Implementation
    1. 4.1. Expiration

Problem

Two options are presented to the administrator when creating a user account:

  1. Input a password but no email to create the account
  2. Input an email but no password, and have the wiki email the user

The problem with option two is that an email is sent in plaintext with the full user credentials to the user. Because this email contains the username, hostname of the wiki, and the password of the user, any third party who receives the email could potentially gain access to the system if the legitimate user does not change his password. This problem could be especially troublesome for administrator accounts that are created.


Solution

When an administrator creates an account with no password, DekiWiki will create a special one-time URL ('nonced url') for the user. This link will be sent to the email account of the new user. The new user will click the link and input their new password, which will then create the user account. Not only does this allow a new user registrant to create their own password, but the password will have never been sent in plaintext over email.


Terminology

  • registrant - a registration record created for a user that has not yet been activated - this is not a true user until the activation is complete
  • nonced url - the url that a new registrant views that allows them to set their own password and create a new account

Implementation

The URL sent will contain a nonce value, which will be unique for that registration. This is not a true nonce in the sense that it can only be viewed once - the nonced URL will remain active until either the registration expires (see below) or until the registration is activated and a new user is created.

Expiration

It is possible that an administrator may want the registrations to expire after a given time period. By defining $wgRegistrationThreshold in LocalSettings.php as an integer, the administrator can set a "time-out" on a registration. This value will give users a certain time period before the registration will expire and the username will be released back into the pool.


Administrators can also define $wgRegistrationHelpTime and $wgRegistrationHelpTimeToAdd values. If a user hits their nonced URL with less than $wgRegistrationHelpTime seconds left before the account expires, the registration time will be pushed back $wgRegistrationHelpTimeToAdd seconds to allow them ample time to register.


Expiration can be set to 0 to prevent all expiration-related functionality. In this case, registration usernames will never be released back into the active username pool.



Tag page
What links here

Files 0

Attach file or image
 

Images 0

 
You must login to post a comment.
Powered by MindTouch Deki Enterprise Edition v.8.08 RC2