/thomasarie

Menulis apa saja yang disuka.

It works, and let's make it better

Currently, we’re working on a site. I will tell you about what site it is. This time, I want to share our ideas about how we build it. It comes with a membership features. You know… registration, login and password reminder. For the password reminder feature, the current site — we actually redevelop the current site — has the feature, and it works fine.
BUT, we think that the process can — and should — be improved. Here are the scenario (from the current site) for the password reminder:

  • A user fills in the email field with the his/her account’s email address.
  • The system will generate a randomly-generated password.
  • User can login with the new password.

It works. But, there are some other situations:

  • Other people can see other members’ profile.
  • On the profile page, the email address is revealed (readable).

So, other members can easily bug each other. Of course, only when they want to. The point is: it can be done. If someone put other members’ email adress, he/she can reset the password. “Hey, I have someone changed my password without my permission. I need to change it again now…”

We think that this can be improved. So, we change the process. Not only because many services also use this, but because we believe that it’s better

    A user fills in the email field with the his/her account’s email address.

  • The system will generate a confirmation code, and send it to user’s email address. A confirmation link is provided. If he/she wants to change the password, they can follow the link. Otherwise, they can ignore it.
  • Once the password reminder request confirmed, a randomly-generated password will be delivered.
  • User can login with the new password, and change it into more memorable password.

That’s an idea.

Comments

6 responses to “It works, and let's make it better”

  1. daustralala

    Thanks for sharing pal. We actually never recognized this issue.

  2. godote

    if session user id == user id on member profile else redirect :)
    lebih simple gitu kyknya thom..
    tapi untuk amannya dilapis juga dengan email confirmation

  3. Okto Silaban

    Nice idea.. I’m working on a similiar project too..
    *duuh.. ngomong inggris ya aku barusan? :D

  4. Pitra

    thomas, bukannya default di Drupal memang spt yang di bawah? kecuali kalo yg dibuat saat ini ndak pake Drupal ya?

  5. Pujiono

    aku lebih nyaman dengan skema forgot-password yang diterapkan oleh WordPress. Jika akan mengubah password, masukkan alamat email. Kemudian verifikasikan bahwa dia memang ingin mengubah password via email. Jika link itu diklik, berarti password baru dikirim. Kalo link gak diklik, nothing happens. Cara ini nggak bisa di-abuse, khan?

  6. Thomas Arie

    Firman, just my opinion and I just realized this when I tried the password reminder feature…
    Godote, bukan saya yang coding kok, saya membuat skema alurnya saja dalam hal ini…
    Okto, nah loh.. mana? Lihat donk…
    Pitra, selain Drupal, rata-rata CMS memang pastinya lebih baik dalam fitur seperti ini. Sayangnya, ini bukan dari CMS yang sudah ada, tapi membangun dari nol…
    Pujiono, iya mas… setuju saya. WordPress maupun blogtool lainnya sudah manis banget dalam meng-handle fitur semacam ini.