how to send user email confirmation without register the user

I want the new user on resgistration to receive a confirmation email, and only after confirm the email can get access to the login area, not before.

I had made a custom form, a new table to store the info, send the email of validation, in the meanwhile the user is only with his info on a custom table on the database, only after the email validation, this means the user click the custom email link and a new window is open on the website congratulating him for the new registration and email validation, and the user gets registrated, already log on and goes to the home page. in the backend wordpress validates the key generated and returned by the user, regist the user and delete the info from the custom email confirmation table. ok, this is all done and working fine. eheh.

My question is is there any wordpress function to do the same, because I dont know any.

Gravity Forms: How to add PHP function to confirmation conditional shortcode?

In Gravity Forms, I have a confirmation set up with various conditional shortcodes. Example:

[gravityforms action="conditional" merge_tag="{:3:value}" condition="contains" value="E"]*** GET A CATEGORY ***[/gravityforms] 

Additionally, I have a PHP function that gets all posts by category, and I would like to use this function inside the conditional shortcode. I’m not figuring out a way to do this, so any help would be appreciated.

My function: useful_tools_list(array( 'type' => 'documents', desc => 'true' ))

I also made it into a shortcode: [useful-tools type="documents" desc="true"]

I tried using <?php ?>, but I realized I can’t embed PHP into the editor. The conditional shortcode doesn’t support nesting other shortcodes inside of it, so that doesn’t work.

I’m wondering if there is a way to manipulate the GF conditional shortcode to allow nesting? Or another way of calling the function that I’m not aware of?

Should OAuth2 proprietary client authorization prompt a confirmation window?

Given a company named X.

X has an OAuth 2 API available for its proprietary clients and also for 3rd party clients.

When a user P enters the process of authorizing a client, it is prompted with a window (right after authentication) showing several information (such as the application name, the scopes required, etc…) and must either click “confirm” or “cancel” to continue the process.

While having the user being able to confirm/deny authorization requests from 3rd party clients makes senses, does it still make sense to show this confirmation window for X‘s proprietary clients?

  • Is there something in the standard that forces to have this confirmation for every authorization request?
  • Is there a best practice in regards of that, that everyone agrees to?

Cisco IOS EOL confirmation

I am assisting in a network security review and am looking at EOL for some Cisco devices, specifically used with Cisco Unified Communications I have a VG224 Analog gateway and 3952 Voice gateway. The running configs for both indicate version 15.1. Based on all the EOL notices I have seen from CISCO, it appears that 15.1 is no longer supported, with 15.1(4) being the last of it. Am I correct on this? Also, it looks like the VG224 are also EOL. Appreciate feedback.

What should a e-mail address confirmation e-mail say?

I’m sending out an e-mail containing a link to prove the user had registered with an e-mail address they have access to.

  1. What is the name of such an e-mail? Verification e-mail, confirmation e-mail, account activation or something else? In a similar sense what is the name of the link in the e-mail?

  2. What should the e-mail say? I want to make this accessible to non-technically inclined users.

  3. What should the subject of the e-mail be?

In a booking confirmation page, is it good UX to tell the user they have an option to cancel once they have booked?

We want to keep the page as simple as possible with the appointment schedule, booking fee and payment method.

But when keeping in mind a user-centric approach, a problem that might arise would be:

What if the user wants to know if they can still cancel the booking?

Would it be a distraction to the main flow(booking) if we explain to them the cancel policy in the confirmation page?

The policy goes something like :

“You may cancel at least 24 hours before the appointment schedule to get a 100% rebate.”

Take note that this app only charges the booking fee and a rebate would be given after they have cancelled, the payment for the service would be done after the service has been made.

One of the stakeholders also said that: “It would give the idea that we aren’t confident of our bookings because we give the users an idea that they can cancel”

Identity confirmation using PIN to decrypt previously issued token

I am building an app (for web and mobile) that requires a user pass two stages of authentication/authorisation in order to access a server-side API and subsequently use the app. First, they must supply valid credentials (username/password). Second, they must meet a series of variable criteria, for example the current time being within a defined range.

I am planning to implement this through the use of two tokens:

  • A long-term, randomly generated, opaque session token
  • A short-lived JWT authorisation token, with self-contained user and expiry data

On the client side, the presence of the session token would allow the user to skip re-entering their (hopefully long and complex) username/password. On the server side, a valid session token would be required to issue an authorisation token, and a valid authorisation token would be required to access the API.

While the goal of the session token is to simplify access (particularly on mobile devices) by removing the need to enter full username/password, I would prefer the user still re-confirm their identity before a new authorisation token is issued. A shorter numeric PIN (or potentially a fingerprint/face scan on supported devices) could allow this.

However, storing such a PIN along with the user’s other data on the server would require full management facilities, as with their password (“I forgot my PIN”). To avoid this overhead, I am thinking about the following approach.

On initial login (no known session token):

  • Ask for and submit username, password, and PIN.
  • If username/password are valid, generate the session token.
  • Encrypt the session token under a key derived from a server-known secret plus the submitted PIN.
  • Return the encrypted session token to the client.

On subsequent login (known session token):

  • Ask for PIN.
  • Submit PIN and encrypted session token.
  • Decrypt the session token, using the submitted PIN, and compare the result to that stored on the server.
  • If the decrypted session token matches a valid session, the user has confirmed their identity and an authorisation token can be issued.

In my mind, this allows a simple “identity confirmation” step with little overhead. The user can reset their PIN at any time simply by fully logging out and logging back in again, choosing a new PIN. And while the PIN is short and simple, it is combined with a server-known secret in order to derive the encryption key, so an offline brute-force of the encrypted session token should be extremely difficult. And server-side use of a slow key derivation function, rate limiting, and lockouts on failed attempts should mitigate online attacks on the PIN.

So my question is: is my thinking correct? Is this a secure way to achieve my goal?