password-based access control and email

Hello,

I have a couple of clients asking me to set 'members
only' sections of their sites where only members of
organization x can have access and query a database,
update their own entries in a directory, etc.

In such situations it's customary to have an
email-based password reminder service. However, if
email addresses are not unique in the database, then
you could potentially have a problem. If person 1 and
person 2 are both somebody(at)whatever.com, then you're
sending person 1's password to where person 2 can get
it. True, if these two share an email account, there
must be a high level of trust. But if person 1 drops
out of the organization, person 1 could still get this
membership benefit for free whenever person 2 gets an
emailed password reminder. True, people can share
login credentials anyway, but this makes it all the
more inviting.

Also, not real likely, but if non-unique email
addresses are permitted, a person could conceivably
misspell his email address in a way that happens to
match an existing address, and then you'd have
confusion.

Now, a client just handed me a membership data file to
import into MySQL, and it has a good number of members
who share a common email address. I guess they like
doing that. 

Question: am I overlooking some way around this issue,
or do I have to tell them they have to get unique
email addresses?

Thanks,

David Mintz
Spanish Interpreter
US District Court, Southern District of New York
Web Design & Hosting http://www.dmintzweb.com/
Personal http://www.panix.com/~dmintz/

"You want me to pour the beer, Frank?"

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

HWG: hwg-languages mailing list archives, maintained by Webmasters @ IWA