Posted: Mon Jan 26, 2004 5:36 pm
so the "use case" goes like this:
1) user submits desired username & email to sg web server (not password, since it won't stick)
2) sg webserver validates username to make sure it's not in use -- if so, returns error (like now)
3) if username is available, sg server
a) gets a word from the dictionary
b) uses lwp to call gourmet, which will generate image and provide the filename
c) uses secret phrase, new username, and word to generate hash
d) makes a page with a form that includes the new username and email address as hidden inputs, includes the hash as a hidden input, shows the captchagen image, and provides displayed inputs for new password (twice) and word-in-the-image
4) user submits form, sg webserver validates that the two passwords match and then re-hashes secret phrase, username, and input word. It then compares the new hash with the input hash. If they match, it creates the account (otherwise it gives an error and re-displays the previous page with the form)
does that sound right? If so, it's cool because there's no persistence on the sg webserver until it creates the account.
Should the type-in-word be considered case sensitive? If not, we can lc() the relevant variables.
1) user submits desired username & email to sg web server (not password, since it won't stick)
2) sg webserver validates username to make sure it's not in use -- if so, returns error (like now)
3) if username is available, sg server
a) gets a word from the dictionary
b) uses lwp to call gourmet, which will generate image and provide the filename
c) uses secret phrase, new username, and word to generate hash
d) makes a page with a form that includes the new username and email address as hidden inputs, includes the hash as a hidden input, shows the captchagen image, and provides displayed inputs for new password (twice) and word-in-the-image
4) user submits form, sg webserver validates that the two passwords match and then re-hashes secret phrase, username, and input word. It then compares the new hash with the input hash. If they match, it creates the account (otherwise it gives an error and re-displays the previous page with the form)
does that sound right? If so, it's cool because there's no persistence on the sg webserver until it creates the account.
Should the type-in-word be considered case sensitive? If not, we can lc() the relevant variables.