Table of contents
- 1. Problem
- 2. Solution
- 3. Terminology
- 4. Implementation
- 4.1. Expiration
Problem
Two options are presented to the administrator when creating a user account:
- Input a password but no email to create the account
- Input an email but no password, and have the wiki email the user
The problem with option two is that an email is sent in plaintext with the full user credentials to the user. Because this email contains the username, hostname of the wiki, and the password of the user, any third party who receives the email could potentially gain access to the system if the legitimate user does not change his password. This problem could be especially troublesome for administrator accounts that are created.
Solution
When an administrator creates an account with no password, DekiWiki will create a special one-time URL ('nonced url') for the user. This link will be sent to the email account of the new user. The new user will click the link and input their new password, which will then create the user account. Not only does this allow a new user registrant to create their own password, but the password will have never been sent in plaintext over email.
Terminology
- registrant - a registration record created for a user that has not yet been activated - this is not a true user until the activation is complete
- nonced url - the url that a new registrant views that allows them to set their own password and create a new account
Implementation
The URL sent will contain a nonce value, which will be unique for that registration. This is not a true nonce in the sense that it can only be viewed once - the nonced URL will remain active until either the registration expires (see below) or until the registration is activated and a new user is created.
Expiration
It is possible that an administrator may want the registrations to expire after a given time period. By defining $wgRegistrationThreshold in LocalSettings.php as an integer, the administrator can set a "time-out" on a registration. This value will give users a certain time period before the registration will expire and the username will be released back into the pool.
Administrators can also define $wgRegistrationHelpTime and $wgRegistrationHelpTimeToAdd values. If a user hits their nonced URL with less than $wgRegistrationHelpTime seconds left before the account expires, the registration time will be pushed back $wgRegistrationHelpTimeToAdd seconds to allow them ample time to register.
Expiration can be set to 0 to prevent all expiration-related functionality. In this case, registration usernames will never be released back into the active username pool.
- Was this page helpful?
- Tag page (Edit tags)
- What links here
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |