Newsletter "Behind the Scenes" Newsletter

September 2014The monthly newsletter by Felgall Pty Ltd

My Word


Just how easy to use are the forms you have on your web site? How easy to use are the forms on the web sites you visit? With spammers quite happy to abuse forms those forms can end up much harder to use than the real people supposed to be using them might like.

Every form needs a certain amount of security built in so as to hopefully prevent its misuse by spammers. You don't want too much security built into it though that it becomes unusable by the people that it is intended for. Where the people who are supposed to be using the forms are not very experienced with computers you need to make things very simple for them or you end up where they can't use the form.

As an example of this I have a club membership site where many of the members do not have a great deal of experience with computers. To use the site they need to enter their membership number and password in order to log in and identify themselves as being a member. To allow them to get a password in the first place or to obtain a replacement if they have forgotten it, there is a second form next to the login form to allow a password to be requested. To ensure that not just anyone can request a password this form will only send a password reset to the email address already registered for that member. There is a spot on the application form for new members to supply an email address and members who haven't supplied one are advised on the page to email me to get their email address registered.

At least this is how it was originally set up. That the password emails can only be sent to a specific email address for each member where that email address is known both by the member and by the system provides the necessary security to ensure that not just anyone can obtain a password (unless they first break into a member's email account). Unfortunately some members where attempting to obtain passwords without registering an email address and were getting rather upset and complaining when they couldn't get a password. Many of these complaints were being made to other members who were also unaware of the requirement to register an email address first giving the system a reputation for not working properly when in fact it was the members who were not using it properly.

You can't change the users so you have to change the system to suit so based on this feedback I added yet another form. This new form collects several pieces of information about the member using it including the email address they want to register. If all of the other information they supply matches what is already recorded and they haven't already registered an email address then it registers the address for them automatically. If the information matches and there is already an email address registered it tells them whether the address they entered is the registered one or not. This form is on a separate page with a much clearer message about emailing me if they are unable to successfully register their email address themselves. As a security measure to help prevent this form being misused the form emails me the information that is entered every time it is used.

When I first set up this form one of the questions that was asked was the year that the member joined. I soon discovered that few members could remember what year they joined and so removed that field from the form. This increases the possibility of misuse of the form by someone who manages to find out the rest of the information being asked for but as only a small percentage of members don't have an email address registered and the form will only actually register one if there isn't one already for that member the chances of someone managing to identify a member that they could set their own email address for is low - plus with the system emailing me every time the form is used they'd need to pick both an appropriate member and a reasonable email address before attempting to use the form. Further changes to that form are possible if it appears that anyone does start trying to misuse the form in an attempt to break in to the system.

The other area where members were finding things difficult is regarding actually obtaining a password that will provide them with access. The issue here is that most of the members don't know how to copy and paste on a computer and so would need to write down and then retype the password given to them at least twice - once to log in and then once to confirm their old password in order to change it. To make it easier for these members I made two further changes to the system. Now when you first log in there is a change password link at the top of the page that only appears when you have first logged in. Clicking on this link allows a new password to be set without first needing to enter the old one (which it copies through from the original login). This allows members to change their password as their first action without having to re-enter the old password. As this link only appears when they first log in, as soon as they move off that page (and even if they return to it later) any attempt to change their password other than as the very first action after logging in will require the old password. This means that the system is still protected against someone else changing their password if they step away from the computer for a short while unless they happen to step away immediately after logging in. As there is also JavaScript code to log out if there has been no activity in the last few minutes attached to all the HTML pages even this link wouldn't appear for long unless the member has JavaScript disabled.

This reduced the number of times that members need to enter in the generated password before being able to set their own from twice to once. A minor change to the page supplying the new password eliminated the need to even enter it once. When a member requests a password reset an email is sent to their registered email address containing a link to obtain a new password. That this doesn't automatically reset their password protects against someone else entering their member number and email address to reset their password. They actually have to click on the link in the email for their password to be reset - in effect a double optin reset. In addition this link is only valid for a limited time and can only be used once even within that time in order to provide further security. Since the new password is being set by and displayed on the web page opened by that link rather than being included in the email directly it was relatively simple to build yet another form into that page which allows the member receiving the new password to use it to login immediately without needing to re-enter it.

The changes to the system to implement these changes was based on the feedback that I received from the members who were trying to gain access to the system. These changes hopefully make it much easier for legitimate club members to gain the access they are entitled to while still maintaining sufficient security to keep everyone else out.

Other security measures are built into the actual login process which mean that someone can't simply enter a valid member number and then attempt to break in by making numerous attempts to guess the password. This too is set up in a way that minimises the inconvenience to members if they mistype their password and have to try again (they are asked to wait a minute or so before trying again) while effectively locking the account if a brute force attack is made.

In each case the setup is a compromise between making the system as easy as possible for the legitimate users to use while providing as much security as possible to keep everyone else out.

Looking at the forms used on other sites I have noticed that in some cases the amount of security built actually interferes with the legitimate use of the form. In some cases these additional features do not actually add anything to the security of the form either. For example I know of one page that first asks you to log in to your account (the most effective CAPTCHA there is) and then annoys you with a second more obtrusive CAPTCHA that only those who successfully got past the first more effective CAPTCHA even get to see. I provided feedback to that site that their forms were harder to use than they needed to be and that they were using obtrusive CAPTCHAs after already having obtained proof that it was an actual member - but that feedback was ignored.

Do you get feedback from your forms (either by having the process itself collect information about how the forms are used or by people telling you about problems they have with it)? Do you provide feedback one the forms you use if they are more awkward to use than they need to be? Do you amend the way your forms work based on the feedback you get? By providing feedback to others and by acting on the feedback you get the forms can be amended to make for a much better user experience while still maintaining necessary security making for much more user friendly web sites.

On Site

This month sees the relaunch of my web site. No longer is it simply promoting a few scripts from the site. Instead it is now the home of my hosted club membership script which is finally ready for beta testing. If you know of any clubs looking for new club membership software that would be interested in beta testing a hosted solution please let me know.

What's New

The following links will take you to all of the various pages that have been added to the site or undergone major changes in the last month.

Main Links

Ask Felgall
Past Newsletters
Sign Up/Unsubscribe
Question Forum


Interactive Web
PC Software
Comms Software
Word Processing
Book Reviews

Other Links

My Javascript Site
My Blog