We have several password-protected Drupal installations for use by various groups connected to our organization. We have been using the Notification module to let folks know when something new has been posted. In actual practice, these sites are used so seldom that what happens is that people receive the notification, can't remember how to log in, and end up ignoring the notice (and the content) rather than ask for help logging in (again).
We think that one solution might be to send out the notifications such that they include the login/password info encrypted, so that clicking on the link takes someone into the website, already logged in. The encrypted info would probably want to expire, say, within a week.
This doesn't seem possible with the Notification module. Is there something else that provides a similar service that we might use (some comments on the Drupal forms suggested that og also sends notifications, but it isn't clear if we can ease people's way to getting into the site).
Ideas?
If you can change the url sent to the users, to contain the encrypted login information, then you could send them not directly to the content, but to another page, which will process the request. Say, for example, the content is at node/67, you could send them first to /autologin/node/67, where you'll check the credentials, and pass the user on to node/67, without him/her having to do anything.
Ari Davidow wrote:
We have several password-protected Drupal installations for use by various groups connected to our organization. We have been using the Notification module to let folks know when something new has been posted. In actual practice, these sites are used so seldom that what happens is that people receive the notification, can't remember how to log in, and end up ignoring the notice (and the content) rather than ask for help logging in (again).
We think that one solution might be to send out the notifications such that they include the login/password info encrypted, so that clicking on the link takes someone into the website, already logged in. The encrypted info would probably want to expire, say, within a week.
This doesn't seem possible with the Notification module. Is there something else that provides a similar service that we might use (some comments on the Drupal forms suggested that og also sends notifications, but it isn't clear if we can ease people's way to getting into the site).
Ideas?
Yeah, that's what I was thinking - generate an encrypted login/password that becomes part of the URL sent to the user. Set that particular login to expire in a week (so as not to have forwardable logins being passed around each user's friends and remote acquaintances and their friends...).
Has anyone done such a thing?
On 4/30/07, Zohar Stolar z.stolar@gmail.com wrote:
If you can change the url sent to the users, to contain the encrypted login information, then you could send them not directly to the content, but to another page, which will process the request. Say, for example, the content is at node/67, you could send them first to /autologin/node/67, where you'll check the credentials, and pass the user on to node/67, without him/her having to do anything.
Ari Davidow wrote:
We have several password-protected Drupal installations for use by various groups connected to our organization. We have been using the Notification module to let folks know when something new has been posted. In actual practice, these sites are used so seldom that what happens is that people receive the notification, can't remember how to log in, and end up ignoring the notice (and the content) rather than ask for help logging in (again).
We think that one solution might be to send out the notifications such that they include the login/password info encrypted, so that clicking on the link takes someone into the website, already logged in. The encrypted info would probably want to expire, say, within a week.
This doesn't seem possible with the Notification module. Is there something else that provides a similar service that we might use (some comments on the Drupal forms suggested that og also sends notifications, but it isn't clear if we can ease people's way to getting into the site).
Ideas?
-- [ Drupal support list | http://lists.drupal.org/ ]
Quoting Ari Davidow aridavidow@gmail.com:
Ideas?
Include the links to user/password link (Request new password) in the mail. Create a user/remind_password link to have that in the mail instead. Just send the unencrypted password to the use. Always send a new password with the notification.
I'm thinking of others to add to the list. Of course more complicated methods require more time to implement.
Earnie
Earnie Boyd wrote:
Quoting Ari Davidow aridavidow@gmail.com:
Include the links to user/password link (Request new password) in the mail. Create a user/remind_password link to have that in the mail instead. Just send the unencrypted password to the use.
Actually I have a client who knows his users so well, that he asked me to clear-text all the passwords... Yes, he IS aware of the consequences, but it allows him, amongst others, to send a username and a clear text password, with each mail that goes out to a user. Even without changing the whole login system, like we did, only keeping the original password in the user's data, allows you to do it.
Include the links to user/password link (Request new password) in the
mail.
Create a user/remind_password link to have that in the mail instead. Just send the unencrypted password to the use.
Actually I have a client who knows his users so well, that he asked me to clear-text all the passwords...
Ouch. Let's not go there. That opens up too many very signficant security holes. I hope for your clients' sake that the passwords used are auto-generated and unique to that system.
But if someone has done something similar, =with= encryption/decryption and auto-expiry, I'd love to talk with you.
ari
I'd think you could borrrow some code from the invite module and put something like this together rather quickly using auto-generated un-guessable tokens with expiry dates.
On 4/30/07, Ari Davidow aridavidow@gmail.com wrote:
Include the links to user/password link (Request new password) in the mail.
Create a user/remind_password link to have that in the mail instead. Just send the unencrypted password to the use.
Actually I have a client who knows his users so well, that he asked me to clear-text all the passwords...
Ouch. Let's not go there. That opens up too many very signficant security holes. I hope for your clients' sake that the passwords used are auto-generated and unique to that system.
But if someone has done something similar, =with= encryption/decryption and auto-expiry, I'd love to talk with you.
ari
-- [ Drupal support list | http://lists.drupal.org/ ]
Two ideas:
One, look into the Login Ticket API, and Temporary Invitation module, to build a login for each user potentially, a custom module that you write could then be used to hook the temporary invitation module from the notification module, or perhaps from actions/workflow or something along those lines.
Two, LoginToboggan module will enable you to put a login form on each access denied page, which would definitely remove the question of how to log in for the logged out users, as long as they can remember their passwords.
http://drupal.org/project/loginticket http://drupal.org/project/temporary_invitation http://drupal.org/project/logintoboggan
-Mike
On Apr 29, 2007, at 1:22 PM, Ari Davidow wrote:
We have several password-protected Drupal installations for use by various groups connected to our organization. We have been using the Notification module to let folks know when something new has been posted. In actual practice, these sites are used so seldom that what happens is that people receive the notification, can't remember how to log in, and end up ignoring the notice (and the content) rather than ask for help logging in (again).
We think that one solution might be to send out the notifications such that they include the login/password info encrypted, so that clicking on the link takes someone into the website, already logged in. The encrypted info would probably want to expire, say, within a week.
This doesn't seem possible with the Notification module. Is there something else that provides a similar service that we might use (some comments on the Drupal forms suggested that og also sends notifications, but it isn't clear if we can ease people's way to getting into the site).
Ideas?
__________________ Michael Prasuhn mike@mikeyp.net http://mikeyp.net 714.356.0168
-
Ari Davidow -
Earnie Boyd -
Michael Prasuhn -
William Smith -
Zohar Stolar