I'm currently working on account activation links instead of sending a "your password is..." e-mail. The puzzle-pieces are falling together, and here's how I think I'm going to implement things:
- Main idea is to only allow members to log in only if we are sure they have a valid e-mail address.
- Activation links remain valid for two days (48 hours). After that, they are deleted.
- The form where the password can be set will have a plugin hook, so things like captcha images can be added there.
|new registration||forgot password||e-mail address change|
|Login allowed before activated?||No||Yes||No|
|Activation Step:||Choose a new password||Choose a new password||No extra step. If the link is clicked, we know that the e-mail address exists|
|When link expires...||Delete member info||Do nothing. (everything remains as before)||Revert to the old e-mail address|