(fundamental) problem with password reset in 1.x: URL's become too long

[Bram de Jong]

Hello all,

on freesound.org we are using the built-in password reset view to send
users password reset emails... and there is a bit of a fundamental
problem with the password reset emails, or more in detail the password
reset URLS: they are way too long.

In our app we get URLs like this:

http://www.freesound.org/home/resetpassword/confirm/1-123-a12345678ed12345d123/

OK, we could cut back the URL by removing our own path
"home/resetpassword/confirm", but I'm sure other people have the same
problems.

Once every 10s of times this gives us problems because -I suppose-
some email apps cut off the URL, or add newlines into it (perhaps the
dashes!).

We were actually having the same type of problems with (our own)
activation links. Cutting them back to only a fewer (random)
characters solved all the problems there.

cheers,

- Bram

--
http://www.samplesumo.com
http://www.freesound.org
http://www.smartelectronix.com
http://www.musicdsp.org

office: +32 (0) 9 335 59 25
mobile: +32 (0) 484 154 730

[creecode]

Hello Bram,

It's been awhile since I've had this problem.  I don't think it is possible to totally solve the issue but it can be reduced.  The problem is not Django but rather how email is handled from point to point.  What I do is always put urls on a line by themselves and I put two empty lines above and below.  That way is very much easier to see a url wrapping problem.  I also put a note in the email about the url wrapping problem and if the link doesn't' work ask the user to make sure the whole url is in the address field.  In addition I add that they may need to manually copy and paste.  I also have a template email ready to go when a support question of this nature comes in that I can shoot off reiterating what the problem might be and a possible solution.

If you go this route let us know how it works for you.

Toodle-looooooooo...........
creecode

[Bram de Jong]

Hmm,

We have 2 milion users and this isn;t really a good solution for us...

Does anyone else have an alternative password-reset app which doesn't
use as many characters as the default one?

- bram

> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-users/-/JF1FmBDYIFoJ.
> To post to this group, send email to django...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.

[Eric Chamberlain]

We haven't used it for the password reset, but we've modified this short url code <http://code.activestate.com/recipes/576918-python-short-url-generator/> to reduce the length of our urls.

--
Eric Chamberlain, Founder
RingFree Mobility Inc.

[Tom Evans]

On Tue, Nov 15, 2011 at 3:11 PM, Bram de Jong <bram....@gmail.com> wrote:
> Hmm,
>
> We have 2 milion users and this isn;t really a good solution for us...
>
> Does anyone else have an alternative password-reset app which doesn't
> use as many characters as the default one?
>
>  - bram
>

Beware of url-shorteners, if they throw away information then you are
weakening the security of the URL. The one Eric suggested will only
compress integers, so you would need to generate an id for each reset,
which will have less address space than the md5 currently used.

How are you presenting the URL? Obviously, in HTML emails this isn't
an issue at all, simply link to the URL. In text emails, if the URL is
presented on a single line, by itself, surrounded by angle brackets,
all email clients should be able to handle it (apart from the broken
ones of course!)

Cheers

Tom

[Andre Terra]

Since url shorteners have already been suggested, how about the possibility of writing a shorter url pattern in urls.py. Would something like http://www.freesound.org/r/1-123-a12345678ed12345d123/ be good enough for you?


Cheers,
AT

--
You received this message because you are subscribed to the Google Groups "Django users" group.

[Bram de Jong]

On Wed, Nov 16, 2011 at 2:39 PM, Andre Terra <andre...@gmail.com> wrote:
> Since url shorteners have already been suggested, how about the possibility
> of writing a shorter url pattern in urls.py. Would something like
> http://www.freesound.org/r/1-123-a12345678ed12345d123/ be good enough for
> you?

Sure, we could do that...

> On Tue, Nov 15, 2011 at 2:34 PM, Tom Evans <teva...@googlemail.com> wrote:
>> In text emails, if the URL is
>> presented on a single line, by itself, surrounded by angle brackets,
>> all email clients should be able to handle it (apart from the broken
>> ones of course!)

The angle bracket thing is new to me: how exactly does this help? You
do mean regular < and > right?

So

<http://www.google.com>

Should be better than

http://www.google.com

?

- Bram

[Tom Evans]

On Thu, Nov 17, 2011 at 9:44 AM, Bram de Jong <bram....@gmail.com> wrote:
> The angle bracket thing is new to me: how exactly does this help? You
> do mean regular < and > right?
>
> So
>
> <http://www.google.com>
>
> Should be better than
>
> http://www.google.com
>
> ?
>

Yep, exactly. Well behaved email clients will ignore and remove line
breaks when presenting that link to the user viewing the email.

Another thing that can make sending links more successful is to send
multipart/alternative emails, with a text section using that
technique, and an HTML one that specifies it as a link. These days,
most people will see/use the HTML version, whilst those who configure
their email clients specifically to prefer plain text - which will be
a small percentage - will most likely have clients that are well
behaved.

It's straightforward to do this in Django:

from django.core.mail import EmailMultiAlternatives
txt_version = …
html_version = …
msg = EmailMultiAlternatives(subject, text_version, from_addr, [ to_addr, ])
msg.attach_alternative(html_content, "text/html")
msg.send()

Cheers

Tom