I would like the "Thankyou" page to show the ticket number, instead of relying on e-mail to go through.
I understand that this is a security issue due to the fact that all someone would need is a current users e-mail address, and they would have access to their entire history of tickets.
My solution to this is simple. Why use an e-mail address at all? How about instead of an e-mail address, the person picks a one time password. Something like "jdaD98$@a./dD". This way every time they go to make a new ticket, they enter this password in the e-mail field, and they are given a ticket number. When they want to check their ticket, they type in their password and their ticket number.
Does anyone see a problem with this solution? I don't see why the persons e-mail needs to be involved in the first place. I guess it's there to notify them when a new message appears, but couldn't this be done by having them also enter their e-mail at some point, in a different location? Perhaps from within the ticket, they would have the option "Receive notifications by e-mail, check this box".
If this removes the security risk involved, how difficult would it be to change the e-mail field to a password field? This would have to disable the e-mail function that notifies people of their ticket number of course.
Thanks
