Solved

Best practice for register login forms

Posted on 2011-02-14
13
283 Views
Last Modified: 2012-05-11
Experts, I have a question for you.  I want to make my register form stronger in regards to security for my customer.  Right now, the way I have it, a user or spam bot can register, the information gets stored in the db, but if it was a fake register, the information stays in there filling it up.  I've got an email going to the user for them to verify who they are, but the information is already in the db.  I'd like to try something else.  I was thinking about having the information hidden that gets sent to their email and not adding this information until they confirm, but I feel that is a security issue.  I'd like to know best practices for this to make it right.
0
Comment
Question by:pingeyeg
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 3

Expert Comment

by:Mestika
ID: 34888575
There is several ways of doing that but using your example you could store user information in the database for, like say 10 days, and then send a mail with an activation link.

Then, you have an function which checks your database. If an boolean attribute "active" is false for the datecreated attribute + 10 days, then it automatically delete the entry.

The problem with "hidding" the user content outside the database is both a security risk but also it can be really annoying for your users if they for example wait one day to activate their account.

This is one example of how to do it.

Sincerely
Mestika
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 34888665
So, in other words, I could write a php function that will check the database everyday and check the dates on all user accounts and remove the ones where the active key is blank?  I like the sound of that.  Will the function run in the background on the site without me doing anything?
0
 
LVL 2

Expert Comment

by:requeue
ID: 34888679
Hi pingeyeg,

I propose two way.

1. Create pending user table to store the user info until confirmation.
Pending user table should have registration date. if the new user confirm within a certain time, purge the inforamation from the table. if user confirmed, move the information to registered user table.
2. Prevent bots to register as much as possible by using the confirmation code at registration.
Captcha is a popular way.
http://en.wikipedia.org/wiki/CAPTCHA
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 17

Expert Comment

by:jrm213jrm213
ID: 34888680
Hi,

A couple of options,

1. Implement re-captcha or similar script: http://www.google.com/recaptcha  so that users have to enter the characters in the box in order to register. This will get rid of the majority of your spambots. On wordpress blogs I was running, on average recaptcha dropped the number of spam-registrations by 95%.

2. You could have the fake data stored in a holding table that is a duplicate of your members table. when the user clicks the activate link in the email you sent, move the record from the holding table to the members table. Run a daily or weekly batch job to delete the rows in the holding table that are more than X days old.

0
 
LVL 2

Expert Comment

by:requeue
ID: 34888840
> Will the function run in the background on the site without me doing anything?
If you can access cron service, register a script to purge unconfirmed user information from the table.

http://en.wikipedia.org/wiki/Cron
http://www.webmasters-central.com/article-blog/tutorials/cron-tutorial-managing-cron-tab-or-cron-job-is-easy/

In my opinion, it's enough to run job once a day.

If you can not access cron service, you have to select an trigger to purge the information.
I will select new user registration as a trigger to purge unconfirmed information from pending user table.


0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 34889356
(1) If you use captcha you will eliminate the overwhelming majority of "false positives" in the data base.
(2) The cost of disk space is so cheap that you should not worry about it.
(3) If you add something like this to the design, you may help solve your problem...

Upon each new registration, DELETE all unconfirmed rows from the table that are older than 48 hours, then SELECT all unconfirmed rows from the table that are older than 24 hours and send them the registration/confirmation email again.  Obviously you will want to have a flag in the client record that tells whether you have sent the reconfirmation email already.

I have an article here that might be helpful.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_3939-Registration-and-Email-Confirmation-in-PHP.html
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 34890159
I tired using the reCAPTCHA tools, but it doesn't seem to be working.  I place the public and private keys in their corresponding locations, but each time I type the correct wording, it tells me I was wrong.  Any ideas?
0
 
LVL 17

Expert Comment

by:jrm213jrm213
ID: 34890228
Are you receiving "incorrect-captcha-sol" from recaptcha? Or some other error?

0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 34890245
Yes - do not use reCaptcha.  Use this little script instead.
<?php // RAY_captcha_image.php

// GENERATES A PICTURE OF A NUMBER INTO THE BROWSER OUTPUT
error_reporting(E_ALL ^ E_NOTICE);

// DECODE THE INCOMING STRING
$data = base64_decode($_GET['dt']);

// CREATE AN IMAGE RESOURCE - CHOOSE THE SIZE THAT BEST MATCHES YOUR PAGE STYLE
$im = imagecreate(46,13);

// WHITE BACKGROUND
$bg = imagecolorallocate($im, 255,255,255);

// GRAY STRIPES
$gray = imagecolorallocate($im, 188,188,188);

// FIREBRICK TEXT
$text = imagecolorallocate($im, 178,34,34);

// ADD THE NUMBER TO THE IMAGE
imagestring($im,5,4,0,$data,$text);

// WRITE A GRAY STRIPE (OR MORE IF YOU CHOOSE)
imageline($im,4,12,38,0,$gray);

// SEND THE IMAGE INTO THE BROWSER OUTPUT STREAM
header('Content-type: image/png');
imagepng($im);
imagedestroy($im);

Open in new window

This shows how to use it.
<?php // RAY_captcha_in_action.php
error_reporting(E_ALL);

// IF ANYTHING WAS POSTED
if (!empty($_POST))
{
    // TEST THE STRINGS
    if ($_POST["_newMd5"] != md5($_POST["_newCode"]))
    {
        // MIGHT WANT TO MAKE THIS USER-FRIENDLY
        echo 'SECURITY CODE NUMBER DID NOT MATCH';
    }
    else
    {
        echo "SUCCESS!";
    }
}
// END OF PHP - PUT UP THE FORM
?>
<form method="post">
<!-- STYLE THIS TO SUIT YOUR PAGE STYLE -->
Type <img style="display:inline;" src="RAY_captcha_image.php?dt=<?php $x = mt_rand(1000,10000); echo base64_encode($x); ?>" /> here:
<input name="_newCode" type="text"   maxlength="64" size="6" autocomplete="off" />
<input name="_newMd5"  type="hidden" value="<?php echo md5($x); ?>" />
<input type="submit" />
</form>

Open in new window

You can test it online here: http://www.laprbass.com/RAY_captcha_in_action.php
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 34890540
jrm213jrm213 : Yes, I'm receiving "incorrect-captcha-sol".
0
 
LVL 17

Expert Comment

by:jrm213jrm213
ID: 34890878
I have read a couple posts that mention that if your page is setup incorrectly like a <form> tag inside a <table> tag

ie... if it is set like this it recaptcha might not work

<table>
<form>
<tr><td>Input 1: <input id="mytextbox" name="mytextbox"/></td></tr>
</form>
</table>

because table shouldn't be able to contain form. <td> can though.

But that is all I have run into searching a few forums.

Run your page through the w3c validator and see if your page is ok http://validator.w3.org/

or try Ray's script. His stuff is usually solid.

0
 
LVL 1

Author Comment

by:pingeyeg
ID: 34890961
Fortunately, I don't have any tables on the page so that wouldn't be the case.  I keep searching, but might have to go with Ray's script as you say.
0
 
LVL 3

Expert Comment

by:Mestika
ID: 34891999
Hey pingeyeg,

let me just elaborate over my suggestion earlier today. I would either suggest a PHP script, a Python script or maybe a java application or something like that which can run on your server.
Of cause the choice depends on exactly your server. Is it your own? Do you have access to it or is it remotely hosted and you have no decide over it and its components?

Nonetheless you can use either approach and please search Google for running PHP code in the background - this also depend on your server (Linux, Windows, other).
I don't know how many users we are talking about but a rough guess I would think somewhere between 10 to 1000 users at day and for that amount a script you really doesn't take a long time to execute and even faster if you indexes your database correctly according to the attributes.

But yeah, that would be my suggestion and you will discover some great advantages by doing so - for example to "reserve" a username or "all-ready" register a E-mail address so a user can't register more accounts in the time before activating.
More than that there is some advantages in the performance - you can set your clean-up script to execute when there is at least amount of users active on your site, for example 4AM or something like that.
And by using an external script your site and users will not be hit by the any (or very little) performance decrease.

That's my five cents :-)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What's wrong with this PDO query? 5 28
Wordpress Security 29 49
Undefined variable problem 5 23
Generate PDF from MySQL using PHP 3 26
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question