Should I keep used email confirmations?

Thu, 06 Feb 2014 12:52:33 -0800

Hi, I am using django-allauth to register and authenticate users in my site. I am a little bit confused with the way it handles email verifications. After the message is sent to the user and the user confirms his email the confirmation stays available on the site. I saw the source code for the ConfirmEmailView(TemplateResponseMixin, View) class and there in the comments, after it logins the user right after the confirmation, it says 

    #     Simply logging in the user may become a security issue. If you
    #     do not take proper care (e.g. don't purge used email
    #     confirmations), a malicious person that got hold of the link
    #     will be able to login over and over again and the user is
    #     unable to do anything about it. Even restoring his own mailbox
    #     security will not help, as the links will still work. For
    #     password reset this is different, this mechanism works only as
    #     long as the attacker has access to the mailbox. If he no
    #     longer has access he cannot issue a password request and
    #     intercept it. Furthermore, all places where the links are
    #     listed (log files, but even Google Analytics) all of a sudden
    #     need to be secured. Purging the email confirmation once
    #     confirmed changes the behavior -- users will not be able to
    #     repeatedly confirm (in case they forgot that they already
    #     clicked the mail).
I have already overridden that class so it doesn't auto login the user after successful confirmation and it deletes the used confirmation. If the user needs a new confirmation it generates a new one and sends it.
My question is, why allauth keeps the used confirmation even if it says it must be purged? Is there any reason to keep the used confirmation and am I doing something wrong by deleting it? 

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/52F3F5F4.70701%40yahoo.gr.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to