Andy Jeffries wrote: > I would implement this slightly differently. Rather than create a > temporary > password, take them through the normal process and then enforce a > password > reset - I would create token, send them a link to a reset password page > that > has the token in the URL, accept a new password on that form, find a > user > with that token and change the password, remove the token from the user > record (so it can't be reclicked from email or hit accidentally) and > redirect them (to either a login page or their profile page if you > automatically log them in from the token).
Thanks, I like this better too. Should have thought of it myself. This would be easier for the user. This is actually a third option too that I didn't mention because it's not quite ready for common use: 3. Eliminate username/password authentication from your site entirely. Then you don't have to worry about password recovery at all (e.g. http://stackoverflow.com). This is the choice I made for my latest web site. However, I had the advantage that my users are software developers, as such I didn't have any qualms about asking them to use OpenID. This was hugely advantageous for me as a developer. I know longer retain any responsibility of storing private data about my users. Not even passwords. Plus, doing this allowed me to forego SSL since there is no longer any private data passing across the internet to my site. This is also becoming a viable option for any web site. Especially when combining OpenID with authentication using Twitter, Facebook, etc. So many big providers such as Google, Microsoft, Yahoo, AOL, WordPresss and others support OpenID these days. It's getting to the point that almost everyone on "The Net" has at least one of these. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.