[Mailman-Developers] Re: GET vs POST (was Re: subscription confirmations)
Jay R. Ashworth
jra@baylink.com
Wed, 18 Jul 2001 15:32:02 -0400
On Wed, Jul 18, 2001 at 11:14:03AM -0700, Chuq Von Rospach wrote:
> In the confirming email, you say something like:
>
> To confirm your subscription, please use this link:
>
> http://www.foo.com/mailman/confirm/XXXXXX
>
> If this link doesn't work for you, then go to
> http://www.foo.com/mailman/confirm, and use code XXXXXX to confirm your
> subscription.
>
> If someone goes to /confirm, it brings up a page querying them for the
> confirmation number, which is some value that Mailman generates to link the
> user to the confirmation request. The shorter the better, so don't use
> things like e-mail address -- generate a unique value, and (as always) make
> it case insensitive, and watch out for the normal gotchas, like '1' and 'l'
> or '0' and 'O'. Don't assume they're going to be able to suck the code out
> of the URL, don't assume they'll cut and paste, and don't assume they can
> take a long string and type it in without typos. So keep it short and clean.
> Five or six characters, preferably [A-Z0-9], and don't presume english,
> since Mailman is international. So it's better to use unambiguous random
> characters than english-like passwords...
Alas, this is *just like* making the GET active, only worse. At least,
with the GET approach, you had the chance, as an automagic link
snarfer, to *avoid* that link, since you could see that it was active.
This method,just like the similar problem I alluded to with Zope, prohibits
even that optimization: you can't *tell* the link is active. I like
that even less.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Baylink RFC 2100
The Suncoast Freenet The Things I Think
Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015
OS X: Because making Unix user-friendly was easier than debugging Windows
-- Simon Slavin in a.f.c