ansaurus

Question

Opinion on example.com/username with Routes

Answer 1

+1 A:

I don't think you'd want

example.com/:username

as that would put restrictions on the usernames available so as not to clash with other paths under the url.

I would propose

profiles.example.com/:username

DanSingerman 2008-12-21 20:43:19

I have all of the static routes I need. I am also reserving some and I can always do example.com/something-static/my-new-page if I get really stuck in the future? (where something-static is already reserved)

ed209 2008-12-21 21:19:19

Answer 2

+3 A:

If it is possible for the user to specify their username and customize their profile page in a significant way, then you run the risk of enabling fraud/phishing attacks.

For example, I could register with a username of "passwordreset", and then put a form (or a link to a form) on my profile page, and then try to persuade people that they need to reset their passwords by visiting example.com/passwordreset.

Then I could harvest the passwords.

If the URL was example.com/users/passwordreset, there is more chance that an alert user would become suspicious.

Oddthinking 2008-12-22 01:42:03

can't I just prevent anyone registering any username with "password" in it? (and other strings like forgot, username, reminder etc...)

ed209 2008-12-22 07:57:31

Good luck coming up with a complete list.Don't forget "FAQ" and "Help"... "Passw0rd" and Unicode-camouflage... "Contraseña" and other languages... Common typos in your reserved words...

Oddthinking 2008-12-22 09:27:34

@ed209 - If you really want to do it the first way you mention then you really can - but you have 2 answers here which suggest why perhaps you shouldn't. @Oddthinging - agreed; I have never known a system where such design decisions have been made up front and been seen to be correct in hindsight.

DanSingerman 2008-12-22 10:11:37

ansaurus

tags:

views:

answers:

Opinion on example.com/username with Routes

related questions