Am Donnerstag, 29. Juni 2006 00:10 schrieb Ralf S. Engelschall:
Hi Ralf,
> > E.g. the stupid registration feature requires email validation within a
> > short period of time (some minutes).
>
> No, the registration timeout is 1 hour(!), not a few minutes. And it was
> set to this value last time in April when you complained the first time ;-)
Please check the attached original email and the timestamps.
Registration process started at
> Date: Wed, 28 Jun 2006 21:46:57 +0200
> Received: from master.openpkg.org (master.openpkg.org [195.30.6.158])
> by master.openpkg.org (Postfix) with SMTP id DD2E11B504D
> for <[EMAIL PROTECTED]>; Wed, 28 Jun 2006 21:46:57 +0200 (CEST)
It was then delayed for about 22 minutes (effect of the greylisting)
> Received: from master.openpkg.org (master.openpkg.org [195.30.6.158])
> by www.erfrakon.de (Postfix) with ESMTP id 88030407693
> for <[EMAIL PROTECTED]>; Wed, 28 Jun 2006 22:09:02 +0200 (CEST)
Then the system send the following text in the body
> To finish your registration you have to activate your account
> by going to the following URL until 2006-06-28 20:46:57 UTC:
2006-06-28 20:46:57 UTC (sic!)
This means 2006-06-28 22:46:57 CEST or pratically
21:46:57 interactive registration in the webinterface
including solving a trivial captcha
22:09:02 mail finally arrives in my account (this means the user has
to check mail very frequently until after more than twenty minutes it
finally arrived
22:46:57 time slot is closed - this leaves about a 37 minutes slot after
waiting for 22 minutes. This slot is difficult for user to not miss
because the time slot it unknown to the users.
> > This breaks much too often! Think about people
> > doing something else in the meantime and especially consider the very
> > commin smtp greylisting.
Hitting the slot is too difficult.
> One hour should be good enough even for greylisting. But ok, I've
> increased it now to 8 hours. But please keep in mind that both the
> timeout and the blocking of additional enrollments before the timeout
> runs out are important: the blocking exists to make sure that the
> enrollment process cannot be abused for spamming purposes by just
> creating enrollments too often within a short timeframe.
I fail to understand why the potentially repeated enrollments can be abused
by any spammer doing their business.
> OTOH, if the
> timeframe is too large this becomes a problem if the mail with the
> activation URL is lost somewhere (spam filters!) as a new enrollment is
> then blocked until the timeout runs out. So, sorry, we cannot get rid of
> the timeout and we cannot increase it too much.
This is not how your system works. After the timeout is reached the enrollment
process is both blocked and the system does not allow to repeat the process
from the beginning reusing the same email address.
(I verified this as I tried to start the procedure from the beginning after I
missed the time slot)
> > An additional idiocy is that after the registration timed out the system
> > dissallows to start over :-((
> >
> > https://registry.openpkg.org/ase
> >
> > "Email address already in use since 2006-06-28 20:39:26"
Another time stamp of which I assume that it is in UTC time zone.
> According to the OSSP ase code this particular error really means what
> it says: that the Email is already in _use_, i.e., it was already
> successfully(!) enrolled.
"Email address already in use since 2006-06-28 20:39:26" (again missing the
time zone information so I guess UTC is meant!!) does not mean much more than
that I started the registration process yesterday at 22:39:26 CEST.
In addition there is some incorrect time setting at your side as I started the
process at 21:46:57 not at 20:39:26.
As a minimal action I propose to change the text to something like:
"Email address already successfully confirmed. You may now proceed using the
OpenPKG download offering by following the following URL..."
> This error does _not_ occur if the timeout
> happened. The error on timeouts is "Email address already in use for
> enrolling since ....". This is the "blocking" case I mentioned above to
> prevent abuse by spammers.
How shall a _user_ know the difference!! How do you expect an end user to
know that _Error_ message "Email address already in use since 2006-06-28
20:39:26" means that the confirmation process already worked and is the
opposite of "Email address already in use for enrolling since ...."
> good user
> acceptance. But as I tried to explain above, the enrollment timeouts
> exist for good reasons. Sorry that they bothered you. But according to
> the database you now at least registered successfully under the address
> [EMAIL PROTECTED]
The webinterface _never_ told me that I successfully registered. How should I
know?
In addition after providing me with the missleading error message it did not
tell me how to proceed.
IMHO you urgently need to vastly improve the usability of the registration
process or you are going to scare away your existing and potential future
users.
Regards,
-- martin
--
http://www.erfrakon.com/
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
=============================================================================
Return-Path: <[EMAIL PROTECTED]>
Received: from localhost (localhost [127.0.0.1])
by mail.hq.erfrakon.de (Cyrus v2.2.12) with LMTPA;
Wed, 28 Jun 2006 22:09:02 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by mail.hq.erfrakon.de (Postfix) with ESMTP id 711101078002
for <[EMAIL PROTECTED]>; Wed, 28 Jun 2006 22:09:02 +0200 (CEST)
Received: from www.erfrakon.de (localhost [127.0.0.1])
by mail.hq.erfrakon.de (Postfix) with ESMTP id 647711078001
for <[EMAIL PROTECTED]>; Wed, 28 Jun 2006 22:09:02 +0200 (CEST)
X-Greylist: delayed 1330 seconds by postgrey-1.21 at a15182363; Wed, 28 Jun
2006 22:09:02 CEST
Received: from master.openpkg.org (master.openpkg.org [195.30.6.158])
by www.erfrakon.de (Postfix) with ESMTP id 88030407693
for <[EMAIL PROTECTED]>; Wed, 28 Jun 2006 22:09:02 +0200 (CEST)
Received: from master.openpkg.org (master.openpkg.org [195.30.6.158])
by master.openpkg.org (Postfix) with SMTP id DD2E11B504D
for <[EMAIL PROTECTED]>; Wed, 28 Jun 2006 21:46:57 +0200 (CEST)
Subject: OpenPKG Registration
Date: Wed, 28 Jun 2006 21:46:57 +0200
Mime-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
To: [EMAIL PROTECTED]
Content-Transfer-Encoding: quoted-printable
From: OpenPKG Affiliation Service Environment <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-Kolab-Scheduling-Message: FALSE
X-UID: 193628
X-Length: 1811
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
Thank you for your registering to OpenPKG.
To finish your registration you have to activate your account
by going to the following URL until 2006-06-28 20:46:57 UTC:
https://registry.openpkg.org/ase?mode=3Dactivation;uuid=3Ddb6dba3a-06de-11d=
b-9375-000e0c4e71a6
--=20
Affiliation Service Environment
https://registry.openpkg.org/ase
______________________________________________________________________
The OpenPKG Project www.openpkg.org
User Communication List [email protected]
