Loading...
 
Features / Usability

Features / Usability


Email validation of registration and other registration issues -- 1

posts: 102

Hello,

Just installed 1.9.1 because the other one I installed, through Fantastico "worked" but when I tested the "registration", I was able to register several names, but ....

The process required validation:
(1) that is an email sent to the registrant --> and (s)he must respond to complete the registration

The problem was the email never came. I tried several names and emails, no go. Note, I have a mechanism to check whether an email was being sent, through %22CC%22 to make sure that an email address indeed receive an email.

I thought it might be a bug in the old tikiwiki (1.8.5) that I installed through Fantastico. I saw an old post indicating the same problem:

http://tikiwiki.org/tiki-view_forum_thread.php?comments_parentId=3322&forumId=4&highlight=email%20validation

and there were recent posts indicating the same problems, for example:

http://dev.tikiwiki.org//tiki-view_tracker_item.php?trackerId=5&itemId=336

That was why I installed 1.9.1 to check if this has been resolved; but I had the same problem even with 1.9.1

Without any validation, I tried to log-in with the "username" (this username is separate from my "admin"); but, the log in failed since there was no validation of the registration, to begin with.

(2) Since I am registering "myself" essentially, I used the "admin" user to approve my "other usersames" — that was the only way it would work.

More in the next "response" to this...

cgc0202

posts: 102

OK, so I like so many features of tikiwiki, that is why I am trying it — although with all the features, it may take time before I can get it to have a look like I want.

One good feature that I like is the conciousness of the developers about security (kudos to the development team):

(1) Registration challenge
-- this prevents automatic registration — although make it more difficult by including letters and numbers that are skewed so that it will be even more difficult for a machine to automatically read)

(2) Email validation of registration.
— as I stated in the original post above, this does not work with the one I installed just right now. it seems it is indeed still a bug, based from the link on the Dev.tikiwiki.org (see links shown in the original post)

(3) Admin approval
-- this is even getting better; but it should not replace the other two above. What I would like to suggest though is that there must be a way to screen users (e.g., they tell something about their interests, where they are from, etc.) Otherwise, what will be the basis for the administration for "approving" or disapproving any particular registrant? Without this added information, I am not sure how much additional security an "admin approval" provides — with what is already achieved through a combination of features #1 and #2.

(4) I understand that you are also trying to test a way of checking whether an email address is valid or not. I think this is also another layer of defense.

Note:
After I changed the preferences, suddenly, the "email address is one of the blanks" that appears in the "log-in" option. Is this another security option. It seems it is not the intention to fill this up though because I can log-in without filling the email, during the process.

cgc0202


posts: 2881 United Kingdom

Glad you are enjoying TikiWiki

Damian

posts: 102

> Glad you are enjoying TikiWiki
>
> Damian
>

Thanks for responding Damian.

So, is my observation about the lack of email validation a known bug?

I hope this was already fixed.

It must have been fixed with the tikiwiki website because I was able to register (I believe I was sent an email also to activate my registration to this site.

What was done to fix the problem indicated in the first post?

I am a newbie on this, including understanding PHP, databases and installations of software — let alone the use of such complicated software as tikiwiki. If I had it difficult, I can just imagine how much more effort was placed in creating the tikiwiki software itself.

So, I will be posting a gazillion of questions, from the point of view of someone who is very interested to use the wonderful features of tikiwiki. I am documenting the process, and perhaps help write a "procedure" for various steps, from the point of view of a newbie with very little background in PHP, CSS, CMS, etc.

Please bear with me.

Sincerely,

cgc0202

posts: 1092

An usual mail problem - it is a generic answer -
It is very important to check what your mail server wants for end of line on the header. In admin -> general: Mail end of line: . some mta server need a LF ending
And a mail with a bad encoding can be considered as spam


posts: 102

Thansk Damian and Sylvie,

I spent almost the entire day dealing with the email issue and in fact tried to challenge to email features to find potential security loopholes. I consider the email registration validation very important.

And, I found quite a few. Who and where do I send it to in regard these potential security loopholes?

I do not want to discuss them*** in detail here — giving some malicious users some ideas on what they could be and how to exploit them. I may have to modify the process — like requiring another separate email validation alternative if the loopholes are not resolved.

There are also obviously some bugs, like "incorrect messages", appearing with some pages instead of another. Some of them are definitely errors in scripting of the "if" functions, or something like that — I would like to send them too someone also. I might suggest some ideas on how the messages that should go with what pages — to avoid confusing the user.

In regard, the email not being sent — here was what I found ... Tikiwiki did not seem to like my domain names, especially the main one *grins* Anyway, I challenged the system several times by adding new names — what happens is that it liked my other email address, like yahoo but not my email addresses associated with my main website.

This is not an error in email, because when I sent test emails (to verify whether something is malfunctioning with email address — let us say, I send a message from Yahoo to my website email address and this works. It even forwards it a specific yahoo email address.

More disturbing, for these registrations where I used my website email addresses, in the database, it includes the actual password, not encrypted. It did not seem to do this with the other email addresses. I am baffled why it was doing this.

cgc0202

      • Just to give one example — a very great concern but not the most serious — I was able to register "unlimited number" of usernames using the same email address. So, it is easy to impersonate another person even because I can register the names of other people I know, and they can no longer register using that name. When I was participating in the New York Times forum, I found how this could be abused.


Also, it would render such features, like polling, survey invalid, if the same person can have gazillions. They do not even have to use the same email address, as it is so easy to get free email at present — yahoo (you can have unlimited emails), google, msn, etc. Also, an owner of a valid website has unlimited number of email address to his(her) option.

To cite one example. Here in Massachusetts, where I am right now, it would be interesting how people really feel about "gay marriage" — very hot topic that will become to get hotter during election time, and especially if the Family Research Institute gets enough signature, able to convince about 51 legislators in the House, to go along (for two years in a row) and there will be a ballot initiative in 2008.

It would be good for a series of internet polling questions and surveys — from now until 2008. As well as the involvement of the Catholic Church because of the issue about pedophile priests as well as Cardinal Law being "rewarded", given a prestigious post in the Vatican with a villa and servants to boot — for his actions shielding abuser priests.

This would be good topics for the forums also. But, as I have witnessed it in the New York Times forum, where the visitors are supposed to be more civilized, it is easy for the discussion to get ugly. And, when you try to control the process — spam, and "fake" users poison the polls as well as the forum.

It is for this reason, that there must be a way to improve the security of the registration, validation and authenticity of registrants — without creating too much burden on the Administrator.

cgc0202

posts: 1092

FOr security purpose, mail to security at tikiwiki.org

From the place you receive an email from tw, did you check the headers. Perhaps you will see something like "header improprely encoded with \r\n" (I don't remember exactly the message. In this case go to admin-> general and change the end of mail line to LF or CR
Just to check: are you in 1.9.1 at least - because before a return path in the header was misssing
It was very hard to fix tw to be sure that the message it sends is not considered as spam. Perhaps there is still some detail tahn can be considered as spam.

Same emails forbidden at registration time -> something to be developped in tw.


Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting