gnuherds-app-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hide email validation in "Lost password" page? -- Security bug


From: Davi Leal
Subject: Re: Hide email validation in "Lost password" page? -- Security bug
Date: Thu, 19 Apr 2007 12:20:08 +0200 (CEST)

Victor Engmark wrote:
> Davi Leal wrote:
> > The user have to stay at that page to be able to read that message.
>
> As I pointed out before, we could show the message at the front page. I've
> seen other sites which do this sort of thing.

Cons:
* It is easier to show it at the same page.
* I personally think we does not win anything showing it at the home page.
* Besides, showing it at the home page we get a more complex source code.
  Keeping the source code easy to understand is main to make it easier
  the maintenance.


> > > Why "E1_"? Anyway, I'd call it LastPasswordRetrieval or just
> > > PasswordRetrieval (less clear). Separates the information from the
> > > function(s), which could be several.
> >
> > About the field name, I propose a new one:
> >
> >         E1_LastAbuseTime   timestamp,
> >
> > We will be able to use that field to both the "lost password" page and the
> > login pages. It can be used to register the last time an operation of
> > login or lost password has been requested for a user.  What do you think?
>
> I still think it's better to give it a name according to what the field
> contains (which is not the last time the account was abused), rather than
> tie it to the first function using the data from that field.

The field will contain the last time stamp of the lost-password or login
forms use, for such entity. What do you think about?

            E1_LastTimeStamp  timestamp,

Davi




reply via email to

[Prev in Thread] Current Thread [Next in Thread]