The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

Guest passwords & recovery

oskayoskay Member
in Help edited January 2010
I was testing my checkout flow and entered my e-mail address. The cart helpfully reminded me that I was a returning customer... but I couldn't seem to get the password right, so I clicked "Email me my password."

A few notes and/or questions on this.

1.) It said that it had mailed my password, but then it didn't show up for quite a while-- maybe 15 minutes. This was surprising. A second test was faster.

2.) The password that I received looked like line noise. I'm sure I hadn't entered it. So... is it the case that this was one of those automatically generated passwords because I had used guest checkout previously? If that is the case, wouldn't it be better to just treat customers who were previously guest checkout as *not* having a password?

3.) It looks like when you request a password to be mailed, it's sent in clear text. (I tried requesting my password twice, and got the same line noise-- so it looks like you're not generating new line noise each time.) People don't like to have their personal passwords mailed in plain text... so wouldn't it be better to either
(a) generate a new, temporary password, or
(b) mail a link to a page where they can enter a new password, or
(c) mail a link to prepopulate their shipping info and reset info to guest

4) The return address of the e-mail message was from FoxyCart. While I'm anything but ashamed of you, I think it's better if everything customer-facing comes from the same domain.
Comments
  • brettbrett FoxyCart Team
    Hey @oskay.

    Good questions.
    1) It mails immediately, unless our mail server gets told there's a delay and doesn't send immediately. I can check our mail logs if you know exactly when you made the request.

    2) It's possible, but that _shouldn't_ be the case. It kind of depends on what choice you made when you upgraded to v060. There's the choice to basically "forget" all your customers or convert them into "real" customers. Before v060 we didn't have a bit in the db to distinguish, so when you upgrade it sets that for your store's users. Do you remember what you chose when you upgraded?

    3) Yes, ... yes. We know. That's a big pet peeve of mine. A and B are somewhat tricky because we don't currently have any UI for those types of interactions at all. C is an interesting idea, but is kind of tricky because a guest account is really and truly a 1-time-use customer. So you can't really overwrite a "returning" account with a guest, nor with another returning customer. That said, perhaps we could reload the page with a token indicating they're resetting their pw, somewhat similar to how the sub_tokens work (at least, kinda sorta).

    4) I know that was brought up before, but apparently we never got around to fixing it. We'll take a look... Huh, we had a ticket for this but we marked it fixed in 041... we'll have to take a look, seeing as we didn't actually have a v041 and all ;)
  • lukeluke FoxyCart Team
    Thanks for pointing this out, oskay. We "thought" we fixed #4 back in 050 but I think we made improvements to how we send our receipt emails after that which use the 'Sender' header and such with the store's email as the From and Reply-To... those changes were on the receipt emails but not the lost password emails. We just rolled out a fix for that so it should be working correctly now in 060.
  • 2) It's possible, but that _shouldn't_ be the case. It kind of depends on what choice you made when you upgraded to v060.
    You had said that you manually updated the users for us (setting them to anonymous, IIRC). But, I don't know if "my" account was created before or after that, nor do I have any other data points on what happened to our records; before 060, we were strictly in the "fake" (prepopulated) guest mode.
    3) Yes, ... yes. We know. That's a big pet peeve of mine. A and B are somewhat tricky because we don't currently have any UI for those types of interactions at all.
    I don't think that you need a UI for A). Just do what everyone else does: E-mail a randomly generated password and on the screen where you say "password mailed," say that it's a randomly generated password and that the user can change their password when they sign in. Repeat that message in the e-mail. (The one disadvantage to this scheme is that if the e-mail takes a while to show up, someone might click it again, and then you've got multiple passwords floating around, and the first password that they got by e-mail no longer works....)
  • lukeluke FoxyCart Team
    Regarding #2... I just went through all of your customers and it looks like (from the address) you happen to have two accounts in there with your same email address that are both marked as not anonymous. Looking at it now, I have a very vague recollection of seeing this and wondering if it might be a problem when we first set your customers to anonymous. I thought I had emailed you about it regarding which account I should mark as anonymous, but I guess I didn't. The one with the "noise" password appears to be the only one that has ever actually logged in so I'll mark the other one as anonymous and you should be good to go. All of your other customers should be fine.
  • lukeluke FoxyCart Team
    Oh, and with #3... A lot of stores integrate their systems using the XML Datafeed so if someone changed their password without completing a transaction that could cause some problems if they were using that login and password hash for something else... but now that we have SSO in place, maybe that's the solution since anyone doing that kind of integration today should be using SSO (which would mean they don't have the option to change their password on the FC side of things anyway). Interesting... I think that actually would be a good solution we could implement in a future version.

    Thoughts?
Sign In or Register to comment.