Dave Rolsky wrote:
On Wed, 10 Oct 2007, Dustin Suchter wrote:
Has anyone put together a nice email-validation-link-generator
widget for Catalyst (or Perl, for that matter)? All I can find on
CPAN is something that is part of Jifty (whatever that is).
http://search.cpan.org/~jesse/Jifty-0.70824/plugins/Login/lib/Jifty/Plugin/Login/Action/ConfirmEmail.pm
In a perfect world this widget would be really simple:
-generates long random codes for use in confirm links
-stores those links server-side in temp files instead of a DB to
prevent DDoS on a db
Huh? You can't prevent a DDoS by storing stuff on the filesystem and
not in a DBMS. And the distributed part isn't the issue, it's just the
DoS part one would worry about. Presumably filling up the file system
will also cause a DoS, but so would signing up for an account in the
app of choice and submitting too much content.
More importantly, some people will _need_ to store it in the DBMS
because they have multiple web servers and don't want to enable NFS
just to store it in the file system ;)
If this sort of plugin were useful, the storage should probably be
pluggable, just like with Sessions. I'm not convinced that this sort
of thing can be made generic enough to be a useful plugin, but that's
a different issue.
-dave
I don't have code for this any more, but it is possible to do this
without storing anything either in the DB or the filesystem so it would
prevent any DoS.
The principle is this.
Create a text string containing the user-id and the date, e.g.
'666-20001011' then append a 'secret' code to it only known by the
server giving you a string like '666-20001011-ThiSW1llNev3rBQuessed'.
You now apply your favorite one-way hash function to this string, for
example MD5 or SHA1.
You now include in your email the link to the site with the string
''666-20001011-<SHAD1orMD5string goes here>'
When you receive the code you can tell (from the date) if it has expired
and the user-id and you can verify the hash value by re-applying the
server secret code to these values by re-creating the string.
This gives you email validation, with timeout, without having to store
anything serverside.
Regards
Ian
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/
Dev site: http://dev.catalyst.perl.org/