[buddypress-trac] [BuddyPress] #4132: Upload profile image at activation

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Fri Apr 20 12:56:59 UTC 2012

#4132: Upload profile image at activation
 Reporter:  sooskriszta  |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Core         |     Version:  1.5.4
 Severity:  normal       |  Resolution:
 Keywords:  2nd-opinion  |

Comment (by boonebgorges):

 > The majority of large sites I know actually have the user logged in at

 Can you name some examples? I tend to agree with Paul that it's not secure
 to do this kind of auto-login. The issue is this: users activate their
 accounts with an activation key, which is sent in plaintext in an email.
 For the "96%" of users that activate within a few minutes, there is not
 much of a security issue (because the activation keys are deactivated
 after being used). But for those few users who never actually click the
 link, it means that there is an unused activation key sitting out there,
 waiting to be exploited at any point by whoever happens to stumble upon
 the email (or even manages to guess the proper URL).

 If you want auto-login on activation, it's pretty easy to do with a
 plugin. (The hook you'll want to look for is `'bp_core_activated_user'`,
 and the WP function is `wp_set_auth_cookie()`) In this case, I would
 recommend that your plugin also set a short expiration date for activation
 keys, so that after (say) an hour or a day, a user will have to have a new
 key generated and emailed. That'll greatly reduce the likelihood of

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4132#comment:4>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list