Thread: Sending link by email to new user of reserved area

Hi,

Everyone knows the procedure when You register Yourself into a new site reserved area.
First step: You register
Second step: An email is sent to You with a link (a strange link.... full of for example: www.yourdomain.com/jsjskslalsaj9427hdjewu383j22) then You must click this link in order to "activate" Your account at that site's reserved area.

I would very much appreciate if someone could give me some ideas of how this is done in the safest / coolest / easyest possible way.

Thanks in advance to all ideas,
pipesportugal

The link usually is something like http://www.yourdomain.com/activation...d=realusername

In some cases, the "realusername" id replaced by a strange string, as the one you posted above. This usually happens when the password of the member is encrypted (in example using md5()) so the activation page recieves the $_GET value for the password and performs a query in the database for the "password" field matching the string.

I prefer to only use the member username, as it doesn't create security issues and simple enough.

Hi navaldesign,

You do it just like that uh? Very simple indeed.
This activate.php program checks the "users" table and changes the login_ok field from 0 to 1 or N to S.
This is only to checkout the existence or not of the user email, so I guess there aren't any security issues with it.
At the end of the activate.php program do You normally "place" them inside the reserved area, or send them to the login page?
Just Your opinion as a programmer?

Thanks for sharing Your opinion,
pipesportugal

If you are not concerned with security you can do as naval has suggested. If you are concerned, then its best to make a completely random string, one not based on their username or password at all. This ways the only way to know the actual activation string is to have retrieved it from their email.

Basically yes, there are ways to check if an email really exists (which doesn't necessarily work on all emails) but this is the only way, with relative certainty, to know that whomever registered also controls the email they specify. And there are other more complicated ways, but won't necessarily be any more secure

For the sake of security I would say to not do a login during the activation, and just redirect them to the login page. (You don't want to authenticate based on a link from an email, you want them to verify they know the username and password).

Also if you have your login script setup securely, the only way to login should be using a username and password. That is, you script should only store encrypted passwords, and should compare the username/password they enter with what is stored on the website... on every page load. The only way you could then log the user in without them entering the password would to only check if a flag is set (Saving a variable $login=true;) which is not a secure way to handle user authentication, and should be avoided.

Originally Posted by Watdaflip

If you are not concerned with security you can do as naval has suggested. If you are concerned, then its best to make a completely random string, one not based on their username or password at all. This ways the only way to know the actual activation string is to have retrieved it from their email.

Basically yes, there are ways to check if an email really exists (which doesn't necessarily work on all emails) but this is the only way, with relative certainty, to know that whomever registered also controls the email they specify. And there are other more complicated ways, but won't necessarily be any more secure

For the sake of security I would say to not do a login during the activation, and just redirect them to the login page. (You don't want to authenticate based on a link from an email, you want them to verify they know the username and password).

Also if you have your login script setup securely, the only way to login should be using a username and password. That is, you script should only store encrypted passwords, and should compare the username/password they enter with what is stored on the website... on every page load. The only way you could then log the user in without them entering the password would to only check if a flag is set (Saving a variable $login=true;) which is not a secure way to handle user authentication, and should be avoided.

Excactly, that's my point. I only want to see if they they are the owners and in contol of the email address they provide. They DON'T log in, they simply answer an email sent to the email address they provided, for verification purposes. The username is onlyused to know WHICH user that is. I use the username because in my scripts username/password/email address are unique. I don't want to use the password, so i only have an option for the username.

Once they are verified, they can proceed to normal log in. Once they do, the authentication script stores the authentication result as a session variable. On every pahe load the protection code checks to see if thie session variable has the preset value, or redirects to the log in page.
This is also a very handfull way to perform user group access or perform redirects to specific areas of the site.