Feature #3588
Avoid using user auth token as a parameter in user activation url
Status: | Assigned | Start date: | 04/15/2013 | |
---|---|---|---|---|
Priority: | Medium | Due date: | ||
Assignee: | Kostas Papadimitriou | % Done: | 0% |
|
Category: | Astakos | Spent time: | - | |
Target version: | 0.14.0 |
Description
Although we invalidate the token when user successfully visits the activation url, it feels a bit bold and
prone to cause security issues to use such sensitive information as a parameter to any astakos url.
Astakos could generate a separate identifier for the email verification process.
Identifier should be random, unique accross users and preferably contain only url safe characters.