Posted by drumm on May 4, 2011 at 6:35pm
3 followers
Jump to:
| Project: | Bakery Single Sign-On System |
| Version: | 6.x-2.x-dev |
| Component: | Documentation |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
The cookie exchange doesn't bring the password all the way back, starting from _bakery_register_submit().
Name and mail are stashed in $_SESSION for the slave to potentially refer to later. The easiest solution would involve this, but we might not want plain text passwords laying around $_SESSION. Otherwise, it would have to be carried through the two key exchanges.
Or, we could not send the password in email and rely on the login URL. I like this since passwords in email are not great. We could change the email content on enable/update if it is the default, or alert the user if it contains !password.
Comments
#1
Yes, please. I think that's a reasonable requirement that if someone wants to use bakery they can't have passwords in their welcome emails.
#2
Yeah, I meant to document this as a known issue. I think the best answer is to remove the token from the email.
#3
Here is a draft of the new text:
#4
Text looks great to me. That's how I rewrite it on every site where I remember to do it.
#5
What's the fix here? Document in README/handbooks?
#6
Yes.