One of the big drawbacks with using HTTP authentication to keep track of web users is that we have to do all that manual updating of the .htpasswd and .htgroup files. A nice way to enhance such a system would be to automate the signup process, letting users create their own username/password combinations and updating the .htpasswd and .htgroup files accordingly.

Such an approach begs the following question, though: if users are signing themselves up for membership accounts in some automated fashion, what’s the point of even bothering with a membership requirement? A malicious user of a web-based discussion forum could just create new membership accounts all day long, thwarting any effort to deny her access to the resource.

An approach taken by many membership-based web sites is to require users to demonstrate that they have supplied a real, working email address before granting them access. While such a system can still be subverted by a moderately motivated antagonist, in practice it is sufficient for many sites’ authentication needs. In any event, that’s the method that will be presented in this chapter’s extended example.

Figure 19-2 diagrams the sequence of steps a user would follow to create a new member account using such a system: