On the weekend, I drew some diagrams describing the account management sub-system I had written for Quisition, partly to see the patterns abstracted from the particular implementation.
Here's the login pattern:
Elliotte Rusty Harold recently wrote about the problems with using GETs for confirmation.
I wanted account signup to involve being sent an email to ensure the user had given a legitimate email address, but cognisant of the issues Rusty raises, I made the email received on signup link to a further form the user then has to submit to truly activate the account:
I originally had the "forget password form" directly resetting the password, but then I realised someone could maliciously enter the email address of another user to reset their password. Not a security issue so much (the new password goes to the right person) but it's a nuisance for the person if they didn't request the reset.
So I adopted an additional pattern where an email is sent which then takes the user to a reset password form:
In both cases, the URI in the email includes a hash in the parameters so the GET that leads to the form can't be faked.
The original post had 2 comments I'm in the process of migrating over.