ruby on rails 3 - Security riddle: confirming email and resetting passwords -

-

i'm using devise on rails 3.0 app, , have confirmable , recoverable turned on. these modules require users confirm email account (confirmable) , allow users reset password having email sent email account (recoverable).

unfortunately we've had difficulty "devising" (pun intended) reasonable security policy permits users use site without confirming account. enforce following requirements security:

  1. confirming account requires being signed in or signing in. not case , user accidentally entered wrong email address of malicious user b, b receive confirm email link, automatically signed in, , there reset password via "email reset password link." requiring b sign in a's credentials eliminates possibility.

  2. resetting password via email requires having confirmed email. because if user accidentally enters wrong email address, 1 belonging malicious user b, b receive confirm email link , know has signed account. b can visit site , use reset password functionality change password on account, , subsequently can confirm account. requiring confirmed email address eliminates possibility.

so well. except when user creates account, doesn't confirm account yet, , returns site , forgets password. here caught in circular dependency loop, resetting password requires confirming account, confirming account requires signing in password has forgotten.

two possible solutions:

  1. requiring users confirm account after signing in. creates more sign-up friction, eliminates circular dependency.

  2. permitting users reset password without confirmed account, not allowing users enter sensitive information or perform critical actions before confirming account. way account hijack malicious user b still possible, gain control of account without valuable information or power.

are there better solutions out there? how companies deal issue? i've used several sites not require immediate email confirmation, it'd nice if in way doesn't require implementing complicated #2.

thank you!

create sort of role user authenticated, not confirmed. not unreasonable require user confirm account before making account changes (such resetting password or email address).

i think trick here can let user confirm account without being logged in. if user put in wrong email address, can expect do? best them put in right email address @ beginning. rather unforgivable sin user - should know how put in email address. if can't email, , used wrong account, last resort tech support and/or give them security questions them recover account.

after clicking "confirm" link in email, should asked log in. simple that. "thanks confirming account, please log in". don't automatically log them in, security issue, if have "profile" sensitive information.

in scenario non-confirmed user forgets password. tell them have confirm account first, offer resend email. after that, give them option reset password via email. clunky, user understanding if explain why have go through this. ones forgetting information, shouldn't harsh on you.


Comments

Post a Comment

Popular posts from this blog

c++ - Creating new partition disk winapi -

-
i'am trying create new partition , mount volume new, thought createfile let me this, code : lpctstr lpfilename=l"\\\\.\\device\\harddisk0\\partition3"; handle handl=createfile( lpfilename, generic_read | generic_write, file_share_read | file_share_write, null, create_always, file_attribute_normal, null ); if (handl==invalid_handle_value) { qdebug()<<"handl invalid"<<" error"<<getlasterror();} bool success = definedosdevice(ddd_raw_target_path,l"i:",l"\\device\\harddisk0\\partition3"); if(!success) qdebug()<<" definedosdevice failed "<<getlasterror(); bflag = getvolumenameforvolumemountpoint( l"i:\\", // input volume mount point or directory /** u in dir
Read more

Android Prevent Bluetooth Pairing Dialog -

-
i'm developing internal application uses bluetooth printing. want bluetooth pairing occur without user input. have managed working trapping android.bluetooth.device.action.pairing_request broadcast. in broadcast receiver call setpin method, , pairing works ok, bluetoothpairingdialog displayed second or two, disappears - see link below. https://github.com/android/platform_packages_apps_settings/blob/master/src/com/android/settings/bluetooth/bluetoothpairingdialog.java since broadcast non-ordered, can't call abortbroadcast() , , wondering if there other way prevent pairing dialog appearing. can hook window manager in way? i haven't been able come way without modifying sdk. if you're oem, it's easy (i'm on 4.3): in packages/apps/settings/androidmanifest.xml, comment intent filter pairing dialog: <activity android:name=".bluetooth.bluetoothpairingdialog" android:label="@string/bluetooth_pairing_request"
Read more

VBA function to include CDATA -

-
i have following function include cdata: function cdatasection() dim objdom domdocument dim objkmlrootelement ikmldomelement dim objkmlelement ikmldomelement dim cdata ikmldomcdatasection set objdom = new domdocument set objkmlrootelement = objdom.createelement("balloonstyle") objdom.appendchild objkmlrootelement set objkmlelement = objdom.createelement("text") objkmlrootelement.appendchild objkmlelement set cdata = objdom.createcdatasection("text") cdata.data = "<![cdata[<b>latitude = $[latitude]</b>?]]>;" end function when run above, getting error "user defined data type not found" function. yes ripster says find library reference. vba window tools>references for list of relevant references see... http://msdn.microsoft.com/en-us/library/windows/desktop/ms763701%28v=vs.85%29.aspx however, if have hard time tracking down reference, replace dim sta
Read more