Strategy for account creation and confirmation
I am building a website where someone signs up for an account. I then send them a confirmation email message. The confirmation email message then has a link to the login page.
I noticed other site have this strategy. I am confused though. Why are they sent a confirmation email when they can just go directly to the login page by clicking on a "Login" link already on the page?
Can someone help me to understand? Also, instead, Should my confirmation email have a unique key like a guid which I should check when the person logs in for the first time? Would that be a much better strategy?
The guid would be embedded in the URL so that I could get this value and check it when the person logs in for the first time.
I noticed other site have this strategy. I am confused though. Why are they sent a confirmation email when they can just go directly to the login page by clicking on a "Login" link already on the page?
Can someone help me to understand? Also, instead, Should my confirmation email have a unique key like a guid which I should check when the person logs in for the first time? Would that be a much better strategy?
The guid would be embedded in the URL so that I could get this value and check it when the person logs in for the first time.
ASKER
Thank you for contributing, and you have earned some points dear sir. I need to hear from others though with strong experience in this area.
Let me paraphrase, so that I am more specific in my needs.
To help prevent fake account creation and identity spoofing, I am wondering specifically if the following approach is sufficient.
1. Have user Register.
2. Send user an email message with GUID(Unique Id)
The email message will contain a url which references a log-in page.
The URL will contain a unique quid in the url, which can be accessed with the query string.
3. When the application user clicks on the hyperlink, they will be taken to the login page. In my Code I will then check the quid in the database, along with their username and password. If these three values are in the database, I will check off a table value (true/false) that they accessed the login page using the emailed hyperlink with the guid.
4. If step 3 is completed, subsequent login attempts will no longer check for the existence of the guid.They will just be able to login using their username and password.
Let me paraphrase, so that I am more specific in my needs.
To help prevent fake account creation and identity spoofing, I am wondering specifically if the following approach is sufficient.
1. Have user Register.
2. Send user an email message with GUID(Unique Id)
The email message will contain a url which references a log-in page.
The URL will contain a unique quid in the url, which can be accessed with the query string.
3. When the application user clicks on the hyperlink, they will be taken to the login page. In my Code I will then check the quid in the database, along with their username and password. If these three values are in the database, I will check off a table value (true/false) that they accessed the login page using the emailed hyperlink with the guid.
4. If step 3 is completed, subsequent login attempts will no longer check for the existence of the guid.They will just be able to login using their username and password.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you.
The uniqueness of the link leading to the confirmation page should allow acknowledgement and single sign on for that short period using some sort of random session id tied to that user account. The confirmation should not persist after the period enforced.
Likewise also to deter bot creating account using some automated form filler and creating orphan or dead account or unuathorised account.
You can see this discussion too
http://stackoverflow.com/questions/1495032/do-we-really-need-email-confirmation