[ic] Email login links without plain text password

IC ic at tvcables.co.uk
Thu Sep 15 20:24:29 UTC 2016


> Sounds like you have either a custom receipt or an old one. You may wish
> to review the current mail receipt used by the Strap template:
> 
> https://github.com/interchange/interchange/blob/master/dist/strap/etc/mail
> _receipt
> 
> It only sends the "password" in the email if the user wasn't logged in;
> that is, an auto-created user will get the link to check order status,
> and the password is typically their phone number. You can always remove
> this (line 107, etc).


Hi Josh,

Yes we do have custom receipt and ship_notice that deliberately generates a
link to give customers 1 click access, I know what causes the password to be
issued in the link as we do this:-

[area no-session=1
	form='
      mv_username=[loop-data transactions username]
	mv_password=[data table="userdb" column="password" key="[loop-data
transactions username]"]
      mv_click=Login
      mv_todo=return
      mv_nextpage=order_detail
	mv_arg=[loop-code]
']

Most customers like this is we don't store any payment information but a few
customers don't like seeing their password in plain text in the email.

I thought encrypting the password would help, although it obfuscates the
password in the link you can't log in with as IC is expecting it still in
plain text.

Regards,
Andy




More information about the interchange-users mailing list