I'm writing an online user-registration system and I'd appreciate adice on security.
Users can register by invitation only - invitees are given a username and password prior to visiting the registration page. When they get there, reegistration is in two steps:
1. Input the username & password they were given
2. A Perl script looks up their record in a MySQL db to validate the input
3. If validated, the script pulls some other information specific to the user, and returns a template page that has a form for more personal info input and a "Confirm registration" button. But first, it generates a unique session-id and returns it as a hidden field in the new page's form, as well as recording in the db the date & time of the creation of this session.
4. When the user submits the "confirm registration" form, the system checks the session-id for validity and the new submission time against the first one for time-out. If it's all OK, it completes registration.
Everything is passed in the clear. This is http, not https.
I need to be reasonably sure bots or hackers are not registering and figure this is a good way. It's not perfect - but this is not a military or big-bank site or anything.
Critiques, suggestions, all welcome and appreciated.