Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Strategy for account creation and confirmation

Posted on 2013-05-26
4
Medium Priority
?
274 Views
Last Modified: 2013-06-09
I am building a website where someone signs up for an account. I then send them a confirmation email message. The confirmation email message then has a link to the login page.

I noticed other site have this strategy. I am confused though. Why are they sent a confirmation email when they can just go directly to the login page by clicking on a "Login" link already on the page?

Can someone help me to understand? Also, instead, Should my confirmation email have a unique key like a guid which I should check when the person logs in for the first time? Would that be a much better strategy?

The guid would be embedded in the URL so that I could get this value and check it when the person logs in for the first time.
0
Comment
Question by:brgdotnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39198514
It is actually to send to the intended user email for requested account creation and not to other intended email on behalf. This is just an mean to the end and not foolproof to assure authorise party via the confirmation. There can be further identity check tied to it beside email which can also be spoofed..
 The uniqueness of the link leading to the confirmation page should allow acknowledgement and single sign on for that short period using some sort of random session id tied to that user account. The confirmation should not persist after the period enforced.

Likewise also to deter bot creating account using some automated form filler and creating orphan or dead account or unuathorised account.

You can see this discussion too
http://stackoverflow.com/questions/1495032/do-we-really-need-email-confirmation
0
 
LVL 2

Author Comment

by:brgdotnet
ID: 39199225
Thank you for contributing, and you have earned some points dear sir. I need to hear from others though with strong experience in this area.

Let me paraphrase, so that I am more specific in my needs.

To help prevent fake account creation and identity spoofing, I am wondering specifically if the following approach is sufficient.
1. Have user Register.
2. Send user an email message with GUID(Unique Id)
    The email message will contain a url which references a log-in page.
    The URL will contain a unique quid in the url, which can be accessed with the query string.
3. When the application user clicks on the hyperlink, they will be taken to the login page. In my Code I will then check the quid in the database, along with their username and password. If these three values are in the database, I will check off a table value (true/false) that they accessed the login page using the emailed hyperlink with the guid.
4. If step 3 is completed, subsequent login attempts will no longer check for the existence of the guid.They will just be able to login using their username and password.
0
 
LVL 64

Accepted Solution

by:
btan earned 820 total points
ID: 39199234
Understand where you coming from but also do consider the "replayable" part of it as any intent to capture and replay that back to server, like someone able to sniff or repeat this guid and send back to server - no one is wiser and spoofing can still work through. So I was thinking if time period is consider for the confirmation email to com back to server for specific period, it may help to reduce the exposure. Maybe even besides GUID, and if it is binded to specific timestamp and the credential info where possible, it may help (but does complicate codes).

Actually for session based token or ID, random id in GET request is common. OWASP also has sharing on cheatsheet on this part
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Life_Cycle

But I do find code available doing likewise on GUID (or called "ProviderUserKey" in article below) which you may be interested by far, it seems the approach is fitting too for the confirmation. Probably will also need to check on the email entered as another layer check
http://www.codeproject.com/Questions/111635/mail-confirmation-in-asp-net
http://www.codeproject.com/Articles/313153/ASP-NET-MVC-reCAPTCHA-and-Email-Confirmation
http://www.codeproject.com/Articles/5189/End-to-end-Email-Address-Verification-for-Applicat
0
 
LVL 2

Author Closing Comment

by:brgdotnet
ID: 39232446
Thank you.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question