Hi, I am using django-allauth to register and authenticate users in my
site. I am a little bit confused with the way it handles email
verifications. After the message is sent to the user and the user
confirms his email the confirmation stays available on the site. I saw
the source code for the ConfirmEmailView(TemplateResponseMixin, View)
class and there in the comments, after it logins the user right after
the confirmation, it says
# Simply logging in the user may become a security issue. If you
# do not take proper care (e.g. don't purge used email
# confirmations), a malicious person that got hold of the link
# will be able to login over and over again and the user is
# unable to do anything about it. Even restoring his own mailbox
# security will not help, as the links will still work. For
# password reset this is different, this mechanism works only as
# long as the attacker has access to the mailbox. If he no
# longer has access he cannot issue a password request and
# intercept it. Furthermore, all places where the links are
# listed (log files, but even Google Analytics) all of a sudden
# need to be secured. Purging the email confirmation once
# confirmed changes the behavior -- users will not be able to
# repeatedly confirm (in case they forgot that they already
# clicked the mail).
I have already overridden that class so it doesn't auto login the user
after successful confirmation and it deletes the used confirmation. If
the user needs a new confirmation it generates a new one and sends it.
My question is, why allauth keeps the used confirmation even if it says
it must be purged? Is there any reason to keep the used confirmation and
am I doing something wrong by deleting it?
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/52F3F5F4.70701%40yahoo.gr.
For more options, visit https://groups.google.com/groups/opt_out.