Staff:NickServ Cookies

Adapted from services-darenet/docs/cookies.txt

NickServ uses cookies, in-conjunction with email and sms authentication for various things, offloading some human support. Use of cookies can be disabled in services' configuration file, in which case current email addresses and mobile phone numbers are preserved, but not displayed or used. However, for the purpose of this document we will assume they are enabled since we use them on DareNET.

Cookies (10-character case-sensitive alphanumeric strings; they are base64-encoded random numbers) are used for the following things:


 * Account activation. When a new account is registered, its password is set to an unusable string. A cookie is sent to the email address provided during registration and can later be used to authenticate to the account and change the password (as for forgotten password changes, below). NOTE: This method is currently disabled on DareNET in favor of the current web registration setup.


 * Changing email addresses. When an authenticated user requests that their email address be changed, half of the cookie is sent to the old (current) email address, and the other half is sent to the new email address. Both halves must be presented back to NickServ to complete the change.


 * Authcookie. When a user issues the  command for their account, a cookie is sent to the email address NickServ has on file for it. If the user successfully supplies that cookie back to NickServ, they are allowauthed.


 * Changing forgotten passwords. A user may request a cookie be sent to the email address on file for their account; this will allow them to authenticate and change their password.


 * Set mobile phone number. A user may associate a mobile phone number with their account to receive SMS notifications from services. An SMS containing the cookie is sent to the mobile phone number which can be supplied back to NickServ to complete the setup process.

Limitations
As with most automated systems, a few limitations do apply (though mostly by design):


 * Only one cookie will be issued per account at any given time. The current cookie must be used or time out before another one is issued.


 * Cookies time out after a configurable amount of time (the default is 24 hours).


 * Only one un-activated account is allowed per email address.

Associated commands
The following commands are provided (overriding non-cookie commands of the same name, if there is overlap):


 * REGISTER  - Registers the account. A cookie is sent to the email address provided, allowing them to activate their account. NOTE: This command is disabled on DareNET. http://www.darenet.org/register should be used instead.


 * SET EMAIL  - Allows a user to change the email address associated with their account. Half of the cookie is mailed to their current (old) email address, and the other half to the new address specified with this command. Both halves must be supplied back to NickServ for the change to take affect.


 * SET MOBILE  - Sends SMS containing cookie to complete setup process.


 * AUTHCOOKIE ' - Emails ccokie for authentication.


 * RESETPASS  - Begins the password reset process for an account.


 * COOKIE [ ]  - performs the following:
 * IF account's cookie type is REGISTER, activates the account that was registered using the  command, also setting the account's password to what was specified during the registration process.
 * If account's cookie type is EMAIL_CHANGE, changes email address.
 * If account's cookie type is PASSWORD_CHANGE, changes password.
 * If account's cookie type is ALLOWAUTH, allows user to authenticate if password matches.
 * If account's cookie type is MOBILE, associates the number specified with the  command with the account.