users@jersey.java.net

Re: [rest-discuss] confirmation URL ? GET ?

From: Felipe Gaścho <fgaucho_at_gmail.com>
Date: Sun, 27 Sep 2009 19:46:00 +0200

humm.. yes, I tought about a code in the email that should be used to
validate the registration in a web site.. so the email contains:

GET url to the confirmation form...
the page containing the form has a POST button to validate the registration....

it adds even more security to the whole process, while also add more
usability complications to the users.. this trade off is complicated
because it seems I am penalizing the users to preserve hateoas :)

On Sun, Sep 27, 2009 at 5:09 PM, John Panzer <jpanzer_at_acm.org> wrote:
> Actually something like a separate form step is needed to help prevent
> xsrf anyway.
>
> On Sunday, September 27, 2009, Subbu Allamaraju <subbu_at_subbu.org> wrote:
>>>> So, what is the alternative ?
>>>
>>> Send a URL to an HTML page that includes a POST form with a button the
>>> user clicks on to confirm.
>>>
>>> (or send an HTML email with a form (not sure if the email client
>>> supports the form submission though)).
>>
>> It is a matter of a tradeoff between usability and safety. Confirming
>> by just clicking on the link is a well-established usage pattern on
>> the web. Most users will miss the flow if there is another HTML form
>> or some other user interaction on that page.
>>
>> When implementing this, just make sure to not fail the request if the
>> user clicks on the link again (i.e. implement as idempotent).
>>
>> Subbu
>>
>>
>> ------------------------------------
>>
>> Yahoo! Groups Links
>>
>> <*> To visit your group on the web, go to:
>>     http://groups.yahoo.com/group/rest-discuss/
>>
>> <*> Your email settings:
>>     Individual Email | Traditional
>>
>> <*> To change settings online go to:
>>     http://groups.yahoo.com/group/rest-discuss/join
>>     (Yahoo! ID required)
>>
>> <*> To change settings via email:
>>     mailto:rest-discuss-digest_at_yahoogroups.com
>>     mailto:rest-discuss-fullfeatured_at_yahoogroups.com
>>
>> <*> To unsubscribe from this group, send an email to:
>>     rest-discuss-unsubscribe_at_yahoogroups.com
>>
>> <*> Your use of Yahoo! Groups is subject to:
>>     http://docs.yahoo.com/info/terms/
>>
>>
>



-- 
Looking for a client application for this service:
http://fgaucho.dyndns.org:8080/arena-http/wadl