Don Marti
Sun 07 Dec 2008 10:01:58 AM PST
Notifications and Password Updates
Working on a web form thingy that will end up having some kind of email notifier on it. Trying to get away from this "antipattern:"
Email: Hey, check out example.com! New (whatever)! Link.
Follow the link, try to log in to example.com, forget your password.
Fill out the "forgot password" form, get a link by mail.
Use the link to log back in, reset your password.
What was that notification about again?
The catch is that the only way the "forgot password" loop knows you're you is by email address, which the site already knew to send you the mail from step 1. And anyone who can peek at your mail can already become you on the site, so there's no point for the link from step 1 not to just drop you into an already-logged-in session, other than shoot-at-the-user's-feet-and-yell-dance power madness.