I have a Forgot my password page where the user enters his/her email. How can I prevent someone from entering different email addresses trying to guess them or spamming my users? Is there like an IP-based time expiring strategy you would suggest? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Maybe you could use a captcha. Best Regards, Everaldo On Fri, Aug 5, 2011 at 2:32 PM, Leonel *.* <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I have a Forgot my password page where the user enters his/her email. > How can I prevent someone from entering different email addresses trying > to guess them or spamming my users? > > Is there like an IP-based time expiring strategy you would suggest? > > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Aug 5, 2011, at 1:32 PM, Leonel *.* wrote:> I have a Forgot my password page where the user enters his/her email. > How can I prevent someone from entering different email addresses > trying > to guess them or spamming my users? > > Is there like an IP-based time expiring strategy you would suggest?You might be able to stash the fact that the user requested a reset in the session, and only allow it to happen once per session. They''d have to quit their browser or whatever to do it a second time. Walter -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
>> I have a Forgot my password page where the user enters his/her email. >> How can I prevent someone from entering different email addresses trying >> to guess them or spamming my users? >> >> Is there like an IP-based time expiring strategy you would suggest? > > You might be able to stash the fact that the user requested a reset in the session, and only allow it to happen once per session. They''d have to quit their browser or whatever to do it a second time.Or implement a captcha... I wouldn''t do IP-based since you could potentially "block" and entire office or any large group behind a firewall... -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Fri, Aug 5, 2011 at 10:32 AM, Leonel *.* <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I have a Forgot my password page where the user enters his/her email. > How can I prevent someone from entering different email addresses trying > to guess them or spamming my users?I''m not sure what the problem is -- if someone enters an invalid email address, ignore it. If it is valid, send the email. If your message to the user is noncommittal -- "If that email is in our database, we''ll ...." then no information re'' validity is exposed. And if they do enter a valid email that''s not their own -- well, what of it? Seems pretty pointless to me. And I get those kind of messages occasionally, sure, but who cares? Or is there some aspect of this that I''m missing? -- Hassan Schroeder ------------------------ hassan.schroeder-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org http://about.me/hassanschroeder twitter: @hassan -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Hassan Schroeder wrote in post #1015184:> On Fri, Aug 5, 2011 at 10:32 AM, Leonel *.* <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> > I''m not sure what the problem is -- if someone enters an invalid email > address, ignore it. If it is valid, send the email. If your message to > the > user is noncommittal -- "If that email is in our database, we''ll ...." > then > no information re'' validity is exposed. > > And if they do enter a valid email that''s not their own -- well, what of > it? Seems pretty pointless to me. And I get those kind of messages > occasionally, sure, but who cares? Or is there some aspect of this > that I''m missing?Agreed, I mean what''s to stop anyone from opening up their favorite email client, start typing in random email addresses in the To field and sending it off? It would be silly for your application to send emails to any random address that''s not in your database. Besides all that, if we can ever get past every piddly web site creating their own username/password combinations and start using centralized user authentication (Twitter, Facebook, OpenID, etc.) this problem of forgetting passwords would go away. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Nothing complicated. It''s just to stop a bot or anybody using the login or forgot password form repeatedly. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
@robert4723 Interestind read: http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.