Thread: Sending link by email to new user of reserved area
View Single Post
  #5  
Old 05-17-2008, 05:05 AM
navaldesign's Avatar
navaldesign navaldesign is offline
General & Forum Moderator
  
Join Date: Oct 2005
Location: Italy
Posts: 9,035
Default Re: Sending link by email to new user of reserved area
permalink
Quote:
Originally Posted by Watdaflip View Post
If you are not concerned with security you can do as naval has suggested. If you are concerned, then its best to make a completely random string, one not based on their username or password at all. This ways the only way to know the actual activation string is to have retrieved it from their email.

Basically yes, there are ways to check if an email really exists (which doesn't necessarily work on all emails) but this is the only way, with relative certainty, to know that whomever registered also controls the email they specify. And there are other more complicated ways, but won't necessarily be any more secure

For the sake of security I would say to not do a login during the activation, and just redirect them to the login page. (You don't want to authenticate based on a link from an email, you want them to verify they know the username and password).

Also if you have your login script setup securely, the only way to login should be using a username and password. That is, you script should only store encrypted passwords, and should compare the username/password they enter with what is stored on the website... on every page load. The only way you could then log the user in without them entering the password would to only check if a flag is set (Saving a variable $login=true;) which is not a secure way to handle user authentication, and should be avoided.
Excactly, that's my point. I only want to see if they they are the owners and in contol of the email address they provide. They DON'T log in, they simply answer an email sent to the email address they provided, for verification purposes. The username is onlyused to know WHICH user that is. I use the username because in my scripts username/password/email address are unique. I don't want to use the password, so i only have an option for the username.

Once they are verified, they can proceed to normal log in. Once they do, the authentication script stores the authentication result as a session variable. On every pahe load the protection code checks to see if thie session variable has the preset value, or redirects to the log in page.
This is also a very handfull way to perform user group access or perform redirects to specific areas of the site.
__________________
Navaldesign
Logger Lite: Low Cost, Customizable, multifeatured Login script
Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

Reply With Quote