The mailing list for listmasters using Sympa

[address@concealed]

Peter Farmer wrote:

> SYMPAthisers,
>
> What is the intended lifespan of the inital password sent to new accounts ?
> Can a user just continue to use it or are they required to change it within a
> given period of time (as a confirmation of the email address ?)
>
> After account creation it seems to be valid for general use of the account
> including posting. But an entry  does not appear in the users database table
> for the account until its password is changed.
True : the password is computed (predictable) so there is no need to 
store it anywhere unless the user as some other attributes. Of course 
this is a security issue : if some one catch the parameter cookie in 
sympa.conf, he can create user/password couple. In addition password are 
stored with reversible encryption : this is another security issue.

> And more significanty the account seems to disappear (expire ?) after a couple
> of days if I dont subscribe to a list straight away !
> So from the observed behaviour , I am presuming users are required to update
> their password to complete the opt-in process ?
>  
Not at all. We want to change this in a way described in sympa project 
direction : http://www.sympa.org/wiki/doku.php?id=project_direction (see 
section authentication and section sessionning)

This is a wiki (Dokuwiki) . Please log in (using your email and sympa 
password) in ordre to add comment to this page.

Regards
Serge