Solved

Strategy for account creation and confirmation

Posted on 2013-05-26
4
263 Views
Last Modified: 2013-06-09
I am building a website where someone signs up for an account. I then send them a confirmation email message. The confirmation email message then has a link to the login page.

I noticed other site have this strategy. I am confused though. Why are they sent a confirmation email when they can just go directly to the login page by clicking on a "Login" link already on the page?

Can someone help me to understand? Also, instead, Should my confirmation email have a unique key like a guid which I should check when the person logs in for the first time? Would that be a much better strategy?

The guid would be embedded in the URL so that I could get this value and check it when the person logs in for the first time.
0
Comment
Question by:brgdotnet
  • 2
  • 2
4 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
It is actually to send to the intended user email for requested account creation and not to other intended email on behalf. This is just an mean to the end and not foolproof to assure authorise party via the confirmation. There can be further identity check tied to it beside email which can also be spoofed..
 The uniqueness of the link leading to the confirmation page should allow acknowledgement and single sign on for that short period using some sort of random session id tied to that user account. The confirmation should not persist after the period enforced.

Likewise also to deter bot creating account using some automated form filler and creating orphan or dead account or unuathorised account.

You can see this discussion too
http://stackoverflow.com/questions/1495032/do-we-really-need-email-confirmation
0
 
LVL 2

Author Comment

by:brgdotnet
Comment Utility
Thank you for contributing, and you have earned some points dear sir. I need to hear from others though with strong experience in this area.

Let me paraphrase, so that I am more specific in my needs.

To help prevent fake account creation and identity spoofing, I am wondering specifically if the following approach is sufficient.
1. Have user Register.
2. Send user an email message with GUID(Unique Id)
    The email message will contain a url which references a log-in page.
    The URL will contain a unique quid in the url, which can be accessed with the query string.
3. When the application user clicks on the hyperlink, they will be taken to the login page. In my Code I will then check the quid in the database, along with their username and password. If these three values are in the database, I will check off a table value (true/false) that they accessed the login page using the emailed hyperlink with the guid.
4. If step 3 is completed, subsequent login attempts will no longer check for the existence of the guid.They will just be able to login using their username and password.
0
 
LVL 61

Accepted Solution

by:
btan earned 205 total points
Comment Utility
Understand where you coming from but also do consider the "replayable" part of it as any intent to capture and replay that back to server, like someone able to sniff or repeat this guid and send back to server - no one is wiser and spoofing can still work through. So I was thinking if time period is consider for the confirmation email to com back to server for specific period, it may help to reduce the exposure. Maybe even besides GUID, and if it is binded to specific timestamp and the credential info where possible, it may help (but does complicate codes).

Actually for session based token or ID, random id in GET request is common. OWASP also has sharing on cheatsheet on this part
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Life_Cycle

But I do find code available doing likewise on GUID (or called "ProviderUserKey" in article below) which you may be interested by far, it seems the approach is fitting too for the confirmation. Probably will also need to check on the email entered as another layer check
http://www.codeproject.com/Questions/111635/mail-confirmation-in-asp-net
http://www.codeproject.com/Articles/313153/ASP-NET-MVC-reCAPTCHA-and-Email-Confirmation
http://www.codeproject.com/Articles/5189/End-to-end-Email-Address-Verification-for-Applicat
0
 
LVL 2

Author Closing Comment

by:brgdotnet
Comment Utility
Thank you.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now