James Tauber's Blog 2006/03/20
Switched over to lighttpd
I just switched a bunch of my sites over to running on lighttpd including http://morphgnt.org/, http://leonardo.pyworks.org/ and http://www.quisition.com/.
It took me a little while to work out how to translate my ScriptAlias directives in Apache to lighttpd (hint: configure mod_alias to map the request path to the CGI script then mod_cgi to recognize files ending in certain characters as being CGI scripts)
The only problem I now have is I've killed anonymous SVN access on pyworks.org because I was previously serving it up via Apache. I'm still investigating alternatives to running Apache just for this purpose.
by : Created on March 20, 2006 : Last modified March 20, 2006 : (permalink)
Account Management Patterns
On the weekend, I drew some diagrams describing the account management sub-system I had written for Quisition, partly to see the patterns abstracted from the particular implementation.
Here's the login pattern:
Elliotte Rusty Harold recently wrote about the problems with using GETs for confirmation.
I wanted account signup to involve being sent an email to ensure the user had given a legitimate email address, but cognisant of the issues Rusty raises, I made the email received on signup link to a further form the user then has to submit to truly activate the account:
I originally had the "forget password form" directly resetting the password, but then I realised someone could maliciously enter the email address of another user to reset their password. Not a security issue so much (the new password goes to the right person) but it's a nuisance for the person if they didn't request the reset.
So I adopted an additional pattern where an email is sent which then takes the user to a reset password form:
In both cases, the URI in the email includes a hash in the parameters so the GET that leads to the form can't be faked.
by : Created on March 20, 2006 : Last modified March 20, 2006 : (permalink)