Solved

Best practice for register login forms

Posted on 2011-02-14
13
276 Views
Last Modified: 2012-05-11
Experts, I have a question for you.  I want to make my register form stronger in regards to security for my customer.  Right now, the way I have it, a user or spam bot can register, the information gets stored in the db, but if it was a fake register, the information stays in there filling it up.  I've got an email going to the user for them to verify who they are, but the information is already in the db.  I'd like to try something else.  I was thinking about having the information hidden that gets sent to their email and not adding this information until they confirm, but I feel that is a security issue.  I'd like to know best practices for this to make it right.
0
Comment
Question by:pingeyeg
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 3

Expert Comment

by:Mestika
ID: 34888575
There is several ways of doing that but using your example you could store user information in the database for, like say 10 days, and then send a mail with an activation link.

Then, you have an function which checks your database. If an boolean attribute "active" is false for the datecreated attribute + 10 days, then it automatically delete the entry.

The problem with "hidding" the user content outside the database is both a security risk but also it can be really annoying for your users if they for example wait one day to activate their account.

This is one example of how to do it.

Sincerely
Mestika
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 34888665
So, in other words, I could write a php function that will check the database everyday and check the dates on all user accounts and remove the ones where the active key is blank?  I like the sound of that.  Will the function run in the background on the site without me doing anything?
0
 
LVL 2

Expert Comment

by:requeue
ID: 34888679
Hi pingeyeg,

I propose two way.

1. Create pending user table to store the user info until confirmation.
Pending user table should have registration date. if the new user confirm within a certain time, purge the inforamation from the table. if user confirmed, move the information to registered user table.
2. Prevent bots to register as much as possible by using the confirmation code at registration.
Captcha is a popular way.
http://en.wikipedia.org/wiki/CAPTCHA
0
 
LVL 17

Expert Comment

by:jrm213jrm213
ID: 34888680
Hi,

A couple of options,

1. Implement re-captcha or similar script: http://www.google.com/recaptcha  so that users have to enter the characters in the box in order to register. This will get rid of the majority of your spambots. On wordpress blogs I was running, on average recaptcha dropped the number of spam-registrations by 95%.

2. You could have the fake data stored in a holding table that is a duplicate of your members table. when the user clicks the activate link in the email you sent, move the record from the holding table to the members table. Run a daily or weekly batch job to delete the rows in the holding table that are more than X days old.

0
 
LVL 2

Expert Comment

by:requeue
ID: 34888840
> Will the function run in the background on the site without me doing anything?
If you can access cron service, register a script to purge unconfirmed user information from the table.

http://en.wikipedia.org/wiki/Cron
http://www.webmasters-central.com/article-blog/tutorials/cron-tutorial-managing-cron-tab-or-cron-job-is-easy/

In my opinion, it's enough to run job once a day.

If you can not access cron service, you have to select an trigger to purge the information.
I will select new user registration as a trigger to purge unconfirmed information from pending user table.


0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 34889356
(1) If you use captcha you will eliminate the overwhelming majority of "false positives" in the data base.
(2) The cost of disk space is so cheap that you should not worry about it.
(3) If you add something like this to the design, you may help solve your problem...

Upon each new registration, DELETE all unconfirmed rows from the table that are older than 48 hours, then SELECT all unconfirmed rows from the table that are older than 24 hours and send them the registration/confirmation email again.  Obviously you will want to have a flag in the client record that tells whether you have sent the reconfirmation email already.

I have an article here that might be helpful.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_3939-Registration-and-Email-Confirmation-in-PHP.html
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:pingeyeg
ID: 34890159
I tired using the reCAPTCHA tools, but it doesn't seem to be working.  I place the public and private keys in their corresponding locations, but each time I type the correct wording, it tells me I was wrong.  Any ideas?
0
 
LVL 17

Expert Comment

by:jrm213jrm213
ID: 34890228
Are you receiving "incorrect-captcha-sol" from recaptcha? Or some other error?

0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 34890245
Yes - do not use reCaptcha.  Use this little script instead.
<?php // RAY_captcha_image.php

// GENERATES A PICTURE OF A NUMBER INTO THE BROWSER OUTPUT
error_reporting(E_ALL ^ E_NOTICE);

// DECODE THE INCOMING STRING
$data = base64_decode($_GET['dt']);

// CREATE AN IMAGE RESOURCE - CHOOSE THE SIZE THAT BEST MATCHES YOUR PAGE STYLE
$im = imagecreate(46,13);

// WHITE BACKGROUND
$bg = imagecolorallocate($im, 255,255,255);

// GRAY STRIPES
$gray = imagecolorallocate($im, 188,188,188);

// FIREBRICK TEXT
$text = imagecolorallocate($im, 178,34,34);

// ADD THE NUMBER TO THE IMAGE
imagestring($im,5,4,0,$data,$text);

// WRITE A GRAY STRIPE (OR MORE IF YOU CHOOSE)
imageline($im,4,12,38,0,$gray);

// SEND THE IMAGE INTO THE BROWSER OUTPUT STREAM
header('Content-type: image/png');
imagepng($im);
imagedestroy($im);

Open in new window

This shows how to use it.
<?php // RAY_captcha_in_action.php
error_reporting(E_ALL);

// IF ANYTHING WAS POSTED
if (!empty($_POST))
{
    // TEST THE STRINGS
    if ($_POST["_newMd5"] != md5($_POST["_newCode"]))
    {
        // MIGHT WANT TO MAKE THIS USER-FRIENDLY
        echo 'SECURITY CODE NUMBER DID NOT MATCH';
    }
    else
    {
        echo "SUCCESS!";
    }
}
// END OF PHP - PUT UP THE FORM
?>
<form method="post">
<!-- STYLE THIS TO SUIT YOUR PAGE STYLE -->
Type <img style="display:inline;" src="RAY_captcha_image.php?dt=<?php $x = mt_rand(1000,10000); echo base64_encode($x); ?>" /> here:
<input name="_newCode" type="text"   maxlength="64" size="6" autocomplete="off" />
<input name="_newMd5"  type="hidden" value="<?php echo md5($x); ?>" />
<input type="submit" />
</form>

Open in new window

You can test it online here: http://www.laprbass.com/RAY_captcha_in_action.php
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 34890540
jrm213jrm213 : Yes, I'm receiving "incorrect-captcha-sol".
0
 
LVL 17

Expert Comment

by:jrm213jrm213
ID: 34890878
I have read a couple posts that mention that if your page is setup incorrectly like a <form> tag inside a <table> tag

ie... if it is set like this it recaptcha might not work

<table>
<form>
<tr><td>Input 1: <input id="mytextbox" name="mytextbox"/></td></tr>
</form>
</table>

because table shouldn't be able to contain form. <td> can though.

But that is all I have run into searching a few forums.

Run your page through the w3c validator and see if your page is ok http://validator.w3.org/

or try Ray's script. His stuff is usually solid.

0
 
LVL 1

Author Comment

by:pingeyeg
ID: 34890961
Fortunately, I don't have any tables on the page so that wouldn't be the case.  I keep searching, but might have to go with Ray's script as you say.
0
 
LVL 3

Expert Comment

by:Mestika
ID: 34891999
Hey pingeyeg,

let me just elaborate over my suggestion earlier today. I would either suggest a PHP script, a Python script or maybe a java application or something like that which can run on your server.
Of cause the choice depends on exactly your server. Is it your own? Do you have access to it or is it remotely hosted and you have no decide over it and its components?

Nonetheless you can use either approach and please search Google for running PHP code in the background - this also depend on your server (Linux, Windows, other).
I don't know how many users we are talking about but a rough guess I would think somewhere between 10 to 1000 users at day and for that amount a script you really doesn't take a long time to execute and even faster if you indexes your database correctly according to the attributes.

But yeah, that would be my suggestion and you will discover some great advantages by doing so - for example to "reserve" a username or "all-ready" register a E-mail address so a user can't register more accounts in the time before activating.
More than that there is some advantages in the performance - you can set your clean-up script to execute when there is at least amount of users active on your site, for example 4AM or something like that.
And by using an external script your site and users will not be hit by the any (or very little) performance decrease.

That's my five cents :-)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now