Skip to Content.
Sympa Menu

en - Re: [sympa-users] Is initial account password only intended for first login ?

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] Is initial account password only intended for first login ?

Chronological Thread  
    < Chronological >       < Thread >
  • From: Olivier Salaün - CRU <address@concealed>
  • To: Peter Farmer <address@concealed>
  • Cc: address@concealed
  • Subject: Re: [sympa-users] Is initial account password only intended for first login ?
  • Date: Fri, 20 Oct 2006 10:44:17 +0200
Peter,

You've perfectly understand the way Sympa manages user passwords  :
  1. initial passwords are valid for any action
  2. they are valid, without any time limitation
  3. user accounts are expired if the user is not subscribed to any list. The goal is to prevent the user_table from growing endlessly with entries that are no more used. The process of expiring these entries is controlled by the "purge_user_table_task" parameter (see http://www.sympa.org/doc/html/node8.html#SECTION0081013000000000000000)
Some additional informations :
  1. initial passwords are computed, based in email+server secret (cookie parameter). They are stored in the user_table only if the user customizes a user preference
  2. initial passwords are detected by wwsympa (start with 'init') and the user is prompted with a banner that suggests him to change his password.
The is how Sympa works today (and as i wrote it down, I realize it should be more documented). But we are going to change the whole password management process in Sympa, as described in the sympa.org wiki : http://www.sympa.org/wiki/doku.php?id=project_direction#password_storage

Comments on the design are welcome.

Peter Farmer wrote: 
What is the intended lifespan of the inital password sent to new accounts ?
Can a user just continue to use it or are they required to change it within a
given period of time (as a confirmation of the email address ?)

After account creation it seems to be valid for general use of the account including posting. But an entry  does not appear in the users database table for the account until its password is changed. 
And more significanty the account seems to disappear (expire ?) after a coupleof days if I dont subscribe to a list straight away !
So from the observed behaviour , I am presuming users are required to update their password to complete the opt-in process ? 
If this is so, the user interface needs to make it clearer to the subscriber that they MUST reset their password after creating the account .

The documentation appears not to be helpful regarding this process ...


Archive powered by MHonArc 2.6.19+.

Top of Page