I'm currently working on account activation links instead of sending a "your password is..." e-mail. The puzzle-pieces are falling together, and here's how I think I'm going to implement things:
- Main idea is to only allow members to log in only if we are sure they have a valid e-mail address.
- Activation links remain valid for two days (48 hours). After that, they are deleted.
- The form where the password can be set will have a plugin hook, so things like captcha images can be added there.
| new registration | forgot password | e-mail address change | |
|---|---|---|---|
| Login allowed before activated? | No | Yes | No |
| Activation Step: | Choose a new password | Choose a new password | No extra step. If the link is clicked, we know that the e-mail address exists |
| When link expires... | Delete member info | Do nothing. (everything remains as before) | Revert to the old e-mail address |
