Thanks Jeff - another option occurred to me after sending the original
message and I wonder if this would work. You've probably subscribed to list
servers that send an authentication (confirmation) request to the
subscriber. Lets say I subscribe you to AnyListServer because I'm just
someone that likes to do nuisance things to people. AnyListServer would
actually send you an e-mail (not me - the nasty subscriber) asking you to
click on a link to confirm the change (or the subscription request) i.e. the
change wouldn't be made until you had come back and confirmed it via a link
in an email sent to you (the actual subscribers email address) by the
system.
This sounds OK but might run into dramas if you are entering a change of
email address because the system will send it to the old one. Although I'd
like to think people have a forwarder in for little while and they'll still
get it via the old address.
Any thoughts.
****
Kevin Parker
Web Services Manager
WorkCover Corporation
[EMAIL PROTECTED]
www.workcover.com
p: +61 8 82332548
f: +61 8 82332000
m: 0418 806 166
-----Original Message-----
From: Garza, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 25 July 2001 11:13:AM
To: CF-Talk
Subject: RE: User authentication
Kevin,
Unless you can go the PKI route (which I highly doubt since it's darn near
impossible to implement even in a closed system let alone a public one...
but I digress..) I don't think you'll be able to do something like this
without compromising security. I think you're stuck with YAP.
What I would recommend is that you use cookies to manage this. Use a guid
or encrypted string and store that in a cookie (you've seen the check boxes
where they say "remember me...") with a corresponding value in the database.
When the user hits the login page, check for the cookie and if it exists,
the user will be automatically logged in. This is location based security
at it's worst, but it's a nice workaround for those that don't want to
remember all those darn passwords. This would thwart the casual user which
may have been forwarded the mail since they wouldn't have the cookie and
couldn't get one unless they logged in successfully.
HTH,
Jeff Garza
Webmaster/Lead Developer
Spectrum Astro, Inc.
[EMAIL PROTECTED]
-----Original Message-----
From: Parker, Kevin
To: CF-Talk
Sent: 7/24/01 6:05 PM
Subject: User authentication
Can someone offer a little advice here please?
I am converting a paper based newsletter to an electronic newsletter
(e-mail
based). Very broadly, users will have the ability to elect to receive as
Plain Text or HTML, change their e-mail address etc. What I planned on
doing
was embedding in the e-mail a link to the subscription/member system so
that
users can open a page that allows then to only change their details.
This
would mean that each e-mail that went out would have to contain the
unique
key that gives that recipient access to their details only. I am trying
to
avoid giving them a YAP (Yet Another Password). This seems OK except
where
the subscriber may forward the e-mail to someone else because then the
would
be passing their key to that person (who is not a subscriber and could
alter
the forwarders details).
Any advice or suggestions please. TIA!
****
Kevin Parker
Web Services Manager
WorkCover Corporation
[EMAIL PROTECTED]
www.workcover.com
p: +61 8 82332548
f: +61 8 82332000
m: 0418 806 166
************************************************************************
This e-mail is intended for the use of the addressee only. It may
contain information that is protected by legislated confidentiality
and/or is legally privileged. If you are not the intended recipient you
are prohibited from disseminating, distributing or copying this e-mail.
Any opinion expressed in this e-mail may not necessarily be that of the
WorkCover Corporation of South Australia. Although precautions have
been taken, the sender cannot warrant that this e-mail or any files
transmitted with it are free of viruses or any other defect.
If you have received this e-mail in error, please notify the sender
immediately by return e-mail and destroy the original e-mail and any
copies.
************************************************************************
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
