[buddypress-trac] [BuddyPress] #4132: Upload profile image at activation
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Fri Apr 20 12:56:59 UTC 2012
#4132: Upload profile image at activation
-------------------------+------------------------------
Reporter: sooskriszta | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Core | Version: 1.5.4
Severity: normal | Resolution:
Keywords: 2nd-opinion |
-------------------------+------------------------------
Comment (by boonebgorges):
> The majority of large sites I know actually have the user logged in at
activation.
Can you name some examples? I tend to agree with Paul that it's not secure
to do this kind of auto-login. The issue is this: users activate their
accounts with an activation key, which is sent in plaintext in an email.
For the "96%" of users that activate within a few minutes, there is not
much of a security issue (because the activation keys are deactivated
after being used). But for those few users who never actually click the
link, it means that there is an unused activation key sitting out there,
waiting to be exploited at any point by whoever happens to stumble upon
the email (or even manages to guess the proper URL).
If you want auto-login on activation, it's pretty easy to do with a
plugin. (The hook you'll want to look for is `'bp_core_activated_user'`,
and the WP function is `wp_set_auth_cookie()`) In this case, I would
recommend that your plugin also set a short expiration date for activation
keys, so that after (say) an hour or a day, a user will have to have a new
key generated and emailed. That'll greatly reduce the likelihood of
compromise.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4132#comment:4>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list